Chapter 3 Information Systems Development and Management

Objectives
After completing this chapter, you will be able to Understand howl organizations develop their information systems. Identify the key participants in the system development process and understand their roles. Explain the phases in the system development life cycle. Identify the core activities in the information systems development process. Understand other system-building alternatives. Understand ethical and social issues related to information systems Understand information security and control

Contents
Overview of System Development
System Development Information System Planning Establishing Objectives and information requirements for Systems Development Measuring Information System Performance Project Management

Participants in Information Systems Development System Development Life Cycle

Phases in System Development Cycle Planning Phase Analysis Phase Design Phase Implementation Phase Operation and Maintenance Phase CSAE Tools

Alternative System Development Approaches

Prototyping Application Software Package End-User Development Developing Systems with Teams: JAD and RAD Outsourcing Summary

Information System Management

Understanding Ethical and Social Issues Related to Systems Information Security Establishing a Framework for System Security and Control

3.1 Overview of System Development

3.1.1 System Development
A system is a set of components that interact to achieve a common goal. You use, observe, and interact with many systems during daily activities. You drive a highway system to reach a destination. You use a programmable thermostat to regulate your heating and cooling systems to save energy. Businesses also use many types of systems. A billing system allows a company to send invoices and receive payments from customers. An inventory system keeps track of the items in a warehouse. A manufacturing system produces the goods that customers order. Through a payroll system, employees receive paychecks. Very often, theses systems also are information systems. An information system is a collection of hardware, software, data, people, communications, and procedures that work together to produce quality information. The goal of an information system is to provide users with high-quality information so they can make effective decisions. An information system supports daily, short-term, and long-range activities of users. Some

44

examples of users include store clerks, sales representatives, accountants, supervisors, managers, executives, and customers. The kinds and types of information that users need often change over time. As a system user in a business, you someday may participate in the modification of an existing system or the development of a new system. Thus, it is important that you understand the system development in business. Systems development is the activity of creating a new business system or modifying an existing business system. It refers to all aspects of the process -from identifying problems to be solved or opportunities to be exploited to the implementation and refinement of the chosen solution. Whatever its scope and objectives, a new information system is an outgrowth of a process of organizational problem solving. A new information system is developed as a solution to some type of problem or set of problems the organization perceives it is facing. The problem may be one where managers and employees realize that the organization is not performing as well as expected, or it may come from the realization that the organization should take advantage of new opportunities to perform more successfully. When information requirements change, the information system must meet the new requirements. In some cases, the current information system is modified; in other cases, an entirely new information system is developed. Understanding information systems development is important to all professionals, not just those in the field of information systems. In today's organizations, managers and employees in all levels and functional areas work together and use business information systems. As a result, users of all types are helping with systems development and, in many cases, leading the way. At some point in your career, you will likely be involved in a systems development project -- as a user, as a manager of a business area or project team, as a member of the information systems department, maybe even as a CIO (Chief Information Officer) or CEO. Understanding and being able to apply systems development life cycle concepts, tools and techniques will help ensure the success of the development projects on which you participate. One important thing to know about information systems development is that an information system is a sociotechnical entity, an arrangement of both technical and social elements. The development of a new information system not only involves hardware, software, data, programmers and communications, but also includes changes in jobs, knowledge, skills, management, policies, processes, and organization. Often new systems mean new ways of doing business and working together. Building a new information system will affect the organization as a whole and change the decision-making process. When we develop a new information system, we are actually changing the organization and business processes. System builders must understand how a system will affect the organization as a whole, focusing particularly on organizational conflict and changes in the locus of decision making. Builders must also consider how the nature of work groups will change under the new system. Systems can be technical successes but organizational failures because of a failure in the social and political process of building the system. Therefore, information systems development has become an essential component of the organizational planning process.

3.1.2

Information Systems Planning

Because an organization's business strategic plan contains both organizational goals and a broad outline of steps required to reach them, the business strategic plan affects the type of system an organization needs. Deciding which new systems to build should be an essential component of the organizational planning process. Organizations need to develop an information systems plan that supports their overall business plan and in which strategic systems are incorporated into top-level planning. The information systems planning refers to the process of the translation of strategic and organizational goals into systems development plan and initiatives (Figure 3-1). For example, part of the information systems plan for a luxury car company might be to build a new product tracking system to meet the organizational goal of improving customer service. Proper information systems planning ensures that specific systems development objectives support organizational goals. One of the primary benefits of information systems planning is that it provides a long-range view of information technology use in the organization. The information systems plan provides guidance on how the information systems infrastructure of the organization should be developed over time. The plan serves as a road map indicating the direction and rationale of systems development. Another benefit of information systems planning is that it ensures better use of information systems resources, including funds, information systems personnel, and time for scheduling specific projects.

Organizations Business Strategic Plan

Information Systems Planning

Information Systems Plan

System Development Initiatives

Figure 3-1 The process of information systems planning

45

Figure 3-2 shows the steps of information systems planning. Overall objectives of information systems are usually distilled from the Strategic Plan relevant aspects of the organization's business strategic plan. Information systems projects can be identified either directly from the objectives determined in the first step or may be identified by Develop overall objectives others, such as managers within the various functional areas. Setting priorities and selecting projects typically requires the involvement and approval of senior management. Once specific projects have been selected within the overall context of a strategic plan for the Identify information system projects business and the systems area, an information systems plan can be developed. The plan contains a statement of organizational goals, identifies the project objectives, and specifies how information technology supports the attainment of the organizational goals. When Set priorities and select projects objectives are set, planners consider the resources necessary to complete the projects including equipment (computers, network servers, printers, and other equipment and devices), software, employees (systems analysts, programmers, users and others), expert Develop information systems plan advice (specialists and other consultants), and so on. The information systems plan lays out specific target dates and milestones that can be used later to monitor the plans progress in Analyze resource requirements terms of how many objectives were actually attained in the time frame specified in the plan. The plan also includes the key management decisions concerning hardware acquisition; structure of authority, data, and hardware; telecommunications; and required Set schedules and deadlines organizational change. Organizational changes are usually described, including management and employee training requirements; recruiting efforts; changes in business processes; and changes in authority, structure, or management practice. The manager's toolkit Develop information system in Figure 3-3 gives the guideline for developing an information planning document system plan. As part of translating the corporate strategic plan into the information systems plan, many companies seek systems development Figure 3-2 The steps of information system planning project that will provide a competitive advantage. This usually requires creative and critical analysis. Creative analysis involves the investigation of new approaches to existing problems. By looking at problems in new or different ways and by introducing innovative methods to solve them, many firms have gained a competitive advantage. Typically, these new solutions are inspired by people and things not directly related to the problem. Critical analysis requires unbiased and careful questioning of whether system elements are related in the most effective or efficient ways. It involves considering the establishment of new or different relationships among system elements and perhaps introducing new elements into the system.

3.1.3 Establishing Objectives and Information Requirement for Systems Development

The impact a particular system has on an organization's ability to meet its goals determines the true value of that system to the organization. While all systems should support business goals, some systems are more pivotal in continued operations and goal attainment than others. These systems are called mission-critical systems. An order processing TPS, for example, is usually considered mission-critical. Without it, few organizations could continue daily activities, and they clearly would not meet the goals. The goals defined for an organization will in turn define the objectives set for a system. A manufacturing plant, for example, might determine that minimizing the total cost of owning and operating its equipment is a critical success factor (CSF) in meeting a production volume and profit goals. This CSF would be converted into specific objectives for a proposed plant equipment maintenance system. One specific objective might be to alert maintenance planner when a piece of equipment is due for routine preventive maintenance (e.g., cleaning and lubrication). Another objective might be to alert the maintenance planners when the necessary cleaning materials, lubrication oils, or spare parts inventory levels are below specified limits.

46

Managers Toolkit How to Develop an Information Systems Plan A good information systems plan should address the following topic:
1. Purpose of the Plan Overview of plan contents Changes in forms current situation Firms strategic plan Current business organization and future organization Key business processes Management Strategy Strategic Business Plan Current situation Current business organization Changing environments Major Environments Current Systems Major systems supporting business functions and processes Current infrastructure capabilities o Hardware o Software o Database o Telecommunications and Internet Difficulties meeting business requirements Anticipated future demands 4. New Development New system projects o Project descriptions o Business rational New infrastructure capabilities required o Hardware o Software o Database o Telecommunications and Internet Management Strategy Acquisition plans Milestones and timing Organizational realignment Internal reorganization Management controls Major training initiatives Personnel strategy Implementation Plan Anticipated difficulties in implementation Progress reports Budget Requirement Requirements Potential savings Financing Acquisition cycle

2.

5.

3.

6.

7.

Figure 3-3 Guideline of an information system plan

These objectives could be accomplished either through automatic stock replenishment via electronic data interchange or through the use of exception reports. Regardless of the particular system development effort, the development process should define a system with specific performance and cost objectives. The success or failure of the systems development effort will be measured against these objectives. Performance objectives measure the extent to which a system performs as desired. Is the system generating the right information for a value-added business process? Is the output generated in a form that is usable and easily understood? Is the system generating output in time to meet organizational goals and operational objectives? Cost objectives attempt to balance the benefits of achieving performance goals with all costs associated with the system. Balancing performance and cost objectives within the overall framework of organizational goals can be challenging. Systems development objectives are important, however, in that they allow an organization to effectively and efficiently allocate resources and measure the success of a systems development effort. In order to develop an effective information systems plan, the organization must have a clear understanding of both its long- and short-term information requirements. Two principal methodologies for establishing the essential information requirements of the organization as a whole are enterprise analysis and critical success factors. Enterprise analysis argues that the firm's information requirements can only be understood by looking at the entire organization in terms of organizational units, functions, processes, and data elements. Enterprise analysis can help identify the key entities and attributes of the organization's data. The central method used in the enterprise analysis approach is to take a large sample of managers and ask them how they use information, where they get the information, what their environments are like, what their objectives are, how they make decisions, and what their data needs are. The results of this large survey of managers are aggregated into subunits, functions, processes, and data matrices. Data elements are organized into logical application groups--groups of data elements that support related sets of organizational processes. The weakness of enterprise analysis is that it produces an enormous amount of data that is expensive to collect and difficult to analyze. Most of the interviews are conducted with senior or middle managers, but there is little effort to collect information from clerical workers

47

and supervisory managers. Moreover, the questions frequently focus not on Efficiency IT Metrics management's critical objectives and where information is needed but rather on The amount of information that can travel through a Throughout what existing information is used. The system at any point in time result is a tendency to automate whatever exists. But in many instances, entirely Transaction The amount of time a system takes to perform a new approaches to how business is transaction Speed conducted are needed, and these needs are not addressed. System The number of hours a system is available for users The strategic analysis or critical sucAvailability cess factors approach argues that an organization's information requirements Web Includes a host of benchmarks such as the number of are determined by a small number of page views, the number of unique visitors, and the Traffic average time spent viewing a Web page critical success factors (CSFs) of managers. If these goals can be attained, the Response The time it takes to respond to user interactions such as firm's or organization's success is assured. a mouse click Time CSFs are shaped by the industry, the firm, then manager, and the broader environInformation The extent to which a system generates the correct ment. An important premise of the results when executing the same transaction numerous Accuracy strategic analysis approach is that there times are a small number of objectives that managers can easily identify and on which Effectiveness IT Metrics information systems can focus. The strength of the CSF method is that it The ease with which people perform transactions and/or produces a smaller data set to analyze Usability find information. A popular usability metric on the Internet than does enterprise analysis. The CSF is degrees of freedom, which measures the number of method takes into account the changing clicks required to find desired information environment with which organizations and managers must deal. This method Customer Measured by such benchmarks as satisfaction surveys, explicitly asks managers to look at the percentage of existing customers retained, and inSatisfaction environment and consider how their creases in revenue dollars per customer. analysis of it shapes their information needs. Unlike enterprise analysis, the CSF Conversion The number of customers an organization touches for method focuses organizational attention the first time and persuades to purchase its products or Rates services. This is a popular metric for evaluating the on how information should be handled. effectiveness of banner, pop-up, and pop-under ads on The method's primary weakness is that the the Internet aggregation process and the analysis of the data are art forms. There is no Such as return on investment, cost-benefit analysis and Financial particularly rigorous way in which break-even analysis individual CSFs can be aggregated into a clear company pattern. Second, there is often confusion among interviewees (and Figure 3-4 Common Types of Efficiency and Effectiveness IT Metrics interviewers) between individual and organizational CSFs. They are not necessarily the same. What can be critical to a manager may not be important for the organization. Moreover, this method is clearly biased toward top managers because they are generally the only ones interviewed.

3.1.4 Measuring Information Systems Performance

Organizations spend enormous sums of money on IT to compete in todays fast-paced business environment. Some organizations spend up to 50 percent of their total capital expenditures on IT. To justify these expenditures, an organization must measure the payoff of these investments, their impact on business performance, and the overall business value gained. Efficiency and effectiveness metrics are two primary types of IT metrics. Efficiency IT metrics measure the performance of the information system itself such as throughput, speed and availability. Effectiveness IT metrics measure the impact the system has on business processes and activities including customer satisfaction, conversion rates, and sell-through increases. Peter Drucker offers a helpful distinction between efficiency and effectiveness. Drucker states that managers Do things right

48

and/or Do the right things. Doing things right addresses efficiency getting the most from each resource. Doing the right things addresses effectiveness setting the right goals and objectives and ensuring they are accomplished. Efficiency focuses on the extent to which an organization is using its resources in an optimal way; while effectiveness focuses on how well an organization is achieving its goals and objectives. The twoefficiency and effectivenessare definitely interrelated. However, success in one area does not necessarily imply success in the other. Regardless of what is measured, how it is measured, and whether it is for the sake of efficiency or effectiveness, there must be benchmarks, or baseline values the system seeks to attain. Benchmarking is a process of continuously measuring system results, comparing those results to optimal system performance, and identifying steps and procedures to improve system performance. Efficiency IT metrics focus on the technology itself. Effectiveness IT metrics are determined according to an organizations goals, strategies, and objectives. Figure 3-4 highlights the most common types of efficiency and effectiveness IT metrics.

3.1.5 Project Management

A project is a planned series of related activities for achieving a specific business objective. Information systems projects include the development of new information system, enhancing existing systems, upgrading the firms IT infrastructure, or replacing the old systems. There is a very high failure rate among information systems projects because Figure 3-5 An example of Gantt chart they have not been properly managed. The Standish Group, which monitors IT projects success rates, found that in 2007 only 29 percent of all IT investment were completed on time, on budget, and with all features and functions originally specified. Firms may have incorrectly assessed the business value of the new system or were unable to manage the organizational change required by the new technology. That is why it is essential to know how to manage information systems projects. Project management refers to the application of knowledge, skills, tools, and techniques to achieve specific targets within specified budget, and time constraints. Project management activities include planning the work, assessing risk, estimating resources required to accomplish the work, organizing the work, acquiring human and material resources, assigning tasks, directing activities, controlling project execution, reporting progress, and analyzing the result. As in other areas of business, project management for information systems must deal with five major variables: scope (defining what work is included in a project), time (defining the amount of time required to complete the project), cost (calculating the total cost of hardware, software, human resources, and work space), quality (specifying an indicator of how well the end result of a project satisfies the objectives), and risk (estimating the potential problems that would threaten the success of a project). To plan and schedule a project effectively, the project leader must identify the following components of the project: The goal, objectives, and expectations of the project, collectively called the scope of the project Required activities Time estimates for each activity Cost estimates for each activity The order in which activities must occur Activities that may be performed concurrently

When these items are identified, the project leader usually records them in a project plan. A popular tool used to plan and schedule the time relationships among project activities is a Gantt chart (Figure 3-5). A Gantt chart, developed by Henry L. Gantt, is a bar chart that uses horizontal bars to show project phases or activities. The left side, or vertical axis, displays the list of required activities. A horizontal axis across the top or bottom of the chart represents time. Another tool used for planning and scheduling time is called a PERT chart, short for Program Evaluation and Review Technique chart. Developed by the U.S. Department of Defense, a PERT chart analyzes the time required to

Figure 3-6 An example of PERT chart

49

complete a task and identifies the minimum time required for an entire project (see Figure 3-6). PERT chats, sometimes called network diagrams, can be more complicated to create than Gantt charts for planning and scheduling large, complex projects. After a project begins, the project leader monitors and controls the project. Some activities take less time than originally planned. Others take longer. The project leader may realize that an activity is taking excessive time or that scope creep has occurred. Scope creep occurs when one activity has led to another that was not originally planned; thus, the scope of the project now has grown. Project leaders should have good change management skills so they can recognize when a change in the project has occurred, take actions to react the change, and plan for opportunities because of the change. For example, the project leader may recognize the team will not be able to meet the original deadline of the project due to scope creep. Thus, the project leader may extend the deadline or may reduce the scope of the system development. If the latter occurs, the users will receive a less comprehensive system at the original deadline. In either case, the project leader revises the first project plan and presents the new plan to users for approval. It is crucial that everyone is aware of and agrees on any changes made to the project plan.

Figure 3-7 Microsoft Project is popular project management software

One aspect of managing projects is to ensure that everyone submits deliverables on time and according to plan. A deliverable is any tangible item such as a chart, diagram, report, or program file. Project leaders can use project management software such as Microsoft Project (Figure 3-7) to assist them in planning, scheduling, and controlling development projects. Companies typically are presented with many different projects for solving problems and improving performance. There are far more ideas for system projects than there are resources. The company should select the projects that promise the greatest benefit to the business. In order to identify the information systems projects that will deliver the most business value, you will need to identify their costs and benefits and how they relate to the firms business strategy and information system plan. Some systems development projects are more likely to run into problems or to suffer delays because they carry a much higher level of risk than others. The level of project risk is influenced by project size, project structure and the level of technical expertise of the information systems staff and project team. Dealing with the project risks requires an understanding of the implementation process and change management. A broader definition of implementation refers to all the organization

50

activities working toward the adoption and management of an innovation, such as a new information system. Successful implementation requires a high level of user involvement in a project and management support. As globalization proceeds, companies will be building many more new systems that are global in scale, spanning many different units in many different countries. The project management challenges for global systems are similar to those for domestic systems, but they are complicated by the international environment. User information requirements, business processes, and work cultures differ from country to country. Developing a new information system solution is not merely a matter of installing hardware and software. The business must also deal with the organizational changes that the new solution will bring aboutnew information, new business processes, and perhaps new reporting relationships and decision-making power. A very well-designed solution may not work unless it is introduced to the organization very carefully. The process of planning change in an organization so that it is implemented in an orderly and effective manner is critical to the success or failure of information system solutions.

3.2

Participants in Systems Development

Effective system development requires a team effort. For each system development project, the organization usually establishes a project team to work on the project from beginning to end. The team usually consists of stakeholders, user, managers, systems development specialists and various support personnel (Figure 3-8). The development team is responsible for determining the objectives of the information system and delivering a system that meets these objectives to the organization. System

Decision-making body of an organization

Installs and maintains networks; installs and monitors communications equipment and software

Administers and controls an organizations resources; works with system administrator and with application development teams; assists systems analysts and programmers in developing or modifying applications that use the companys database

Network administrator/data communications analyst

Steering committee Database administrators and database analysts

Management
Interacts with the information system or uses the information it generates; assists with defining system requirements

Vendors
Responsible for security of an organizations systems, data and information

Users

System analyst

Security specialist

Develop and designs enterprise-wide applications for data mining

Data warehousing specialist

Webmaster Application and system programmers Other system analysts

Develop and maintains an organizations Web site; create or helps users create Web pages

Converts the system design into the appropriate programming language and tests finished programs; installs and maintains operating system software and provides technical support to the programmers staff

Figure 3-8 Systems development participants

51

development should involve representatives from each department in which the proposed system will be used. This includes both nontechnical users and IT professionals. Although the roles and responsibilities of members of the system development team may change from company to company, this section presents general descriptions of tasks for various team members. Stakeholders are individuals who, either themselves or through the area of the organization they represent, ultimately benefit from the systems development project. Managers who have high visibility roles as system sponsors or champions are key stakeholders in many strategically important systems because they work toward the systems success and ultimately receive some of the credit or blame. Other stakeholders may be affected less directly if a system shifts the balance of power in an organization or works contrary to their personal goals. Information systems that create new communication patterns are likely to have a wide range of stakeholders. Information system staff members are important stakeholders of most information systems because they are responsible for system operation and enhancement. As professionals in the field, they have a deeper understanding than most business professionals about what it takes to build and maintain solid information systems. They also have a clearer view of technical relationships between different systems and of policies and practices related to systems. During the course of the system development project, the systems analyst meets and works with a variety of people. A systems analyst is a professional who specializes in analyzing and designing business systems and is responsible for designing and developing an information system for his/her company. The systems analyst is the users' primary contact person. Depending on the size of the organization, the tasks performed by the systems analyst may vary. Smaller companies may have one system analyst or even one person who assumes the roles of both system analyst and programmer. Larger companies often have multiple systems analysts. System analysts are the liaison between the users and the IT professionals. They convert user requests into technical specifications. Thus, systems analysts must have superior technical skills. They also must be familiar with business operations, be able to solve problems, have the ability to introduce and support change, and posses excellent communications and interpersonal skills. System analysts prepare many reports, drawings, and diagrams. They discuss various aspects of the development project with users, management, other analysts, database analysts, database administrators, network administrators, the webmaster, programmers, vendors, and steering committee. Systems analyst is one of the most demanding positions in the country. Typically, systems analysts are more involved in design issues than in day-to-day programming. The minimum educational requirement is a bachelor's degree, but many companies opt for a master's degree. Salaries are excellent in this demanding occupation. A successful systems analyst is willing to embrace new technologies and is open to continued learning. Growing in demand are skills for the systems analyst that include e-business and enterprise-wide networking. The steering committee is a decision-making body in an organization. The goal of a steering committee is to get an organizations leaders, who have different interests and agendas, to share the responsibilities and risks that come with aligning information systems initiatives with broader business aims. Many organizations utilize a steering committee for some aspect of their information systems project management. A software programmer is a professional who uses a computer programming language, such as C++, C#, Java, Perl, PHP, and Visual Basic, to write the instructions necessary to direct the computer to process data into information. Programmers are responsible for developing computer programs to satisfy user requirements. They take the plans from the systems analyst and build the necessary software. Users are individuals who will interact with the system regularly. They can be employees, managers, customers, or suppliers. For large-scale systems development projects, where the investment in and value of a system can be quite high, is common to have senior-level managers, including the company president and functional vice presidents, be part of the development team. Since user information requirements drive the entire system-developing effort, user must have sufficient control over the design process to ensure that the system reflects their business priorities and information needs. The nature and level of user participation in systems development vary from system to system. There is more need for user involvement in systems with requirements that elaborate, complex, or vaguely defined than in those with simple or straightforward requirements. The other support personnel on the development team are mostly technical specialists. The network specialists are responsible for installing and maintaining local networks; the database specialists assist systems analysts and programmers in developing or modifying applications that use the companys database; the database administrators administer and control an organizations data and information resources; the data warehousing specialists develop and design enterprise-wide applications for data mining; the data communications specialists evaluate, install, and monitor data communications equipment and software and is responsible for connections to the Internet and other wide area networks; and the Webmasters create and maintain an organizations Web site. One or more of these roles may be outsourced to other companies or consultants. Depending on the magnitude of the systems development project and the number of information systems development specialists on the team, the team may also include one or more IT managers. The composition of a development team may vary over time and from project to project. For small businesses, the development team may consist of a system analyst and the business owner as the primary stakeholder. For large organizations, formal information systems development team can include hundreds of people involved in a variety of systems development activities. Every development team should have a team leader,

52

who is responsible for managing and controlling the budget and schedule of the project. The system analyst may or may not be selected as the project leader of the project.

3.3

System Development Life Cycle

3.3.1 Phases in the System Development Cycle

Information systems development consists of phases, referred to collectively as the system development life cycle. The system development life cycle (SDLC) is a very formal approach to building information systems and refers to all the activities that go into producing an information systems solution to an organizational problem or opportunity. This methodology assumes that an information system has a life cycle similar to that of any living organism, with a beginning, a working period, and an end. SDLC partitions the system development process into distinct phases and has an organized set of activities that guide people through the development of an information system. Some activities in the SDLC may be performed at the same time, while other activities are performed sequentially. Each activity involves interaction with the organization. Depending on the type and complexity of the information systems being developed, the nature and duration of the specific activities vary from one system to the next. The activities of the SDLC can be grouped into the five major phases (Figure 3-9): 1. 2. 3. 4. 5. Planning Analysis Design Implementation Operation and maintenance.

As shown in Figure 3-9, each phase in the system development cycle consists of a series of activities, and the phases form a loop. Information systems development is an ongoing process for an organization. The phases in the SDLC form a loop, because when the information system requires changing, which may happen for a variety of reasons such as information requirements of users has changed or hardware and software become obsolete, the planning phases for a new or modified system begins and the system development life cycle starts again. The goal of the SDLC is to keep the project under control and assure that the information system developed satisfies the requirements. In theory, the five phases in the system development cycle often appear sequentially, as shown in Figure 3-9. In reality, activities within adjacent phases often interact with one another--making the system development cycle a dynamic iterative process. Members of the system development team follow established guidelines during the entire system development cycle.

1. Planning
Review project requests Prioritize project requests Allocate resources Form project development team

5. Operation, Support, and Security

Perform maintenance activities Monitor system performance Assess system security

2. Analysis Ongoing Activities

Project management Feasibility assessment Documentation Data/information gathering Conduct preliminary investigation Perform detailed analysis activities: o Study current system o Determine user requirements o Recommend solution

4. Implementation
Develop programs, if necessary Install and test new system Train users Convert to new system

3. Design
Acquire hardware and software, if necessary Develop details of system

Figure 3-9 Phases of the system development cycle

53

They also interact with a variety of IT professionals and others during the system development cycle. In addition, they perform several ongoing activities during all five phases of the system development cycle. The following sections discuss each of these phases.

3.3.2 Planning Phase

The initiation of a system development project may begin in many different ways. A system user requests a new or modified information system for a variety of reasons, some external and some internal. An external reason is competition. For example, once one bank offers Internet access to account information, others will have to follow suit, or run the risk of losing customers. One internal reason for modifying an information system is to improve or enhance it. For example, if a school wants to provide students with the ability to register for classes via the Internet, the school would have to modify the existing registration system to include this enhancement. The most obvious internal reason for changing an information system is to correct a business problem. For example, the stock-on-hand listed on a report may not match the actual stock-on-hand in the warehouse. The planning phase for a project begins when the steering committee receives a project request. As mentioned earlier in this chapter, the steering committee is a decision-making body for a company. This committee typically includes a mix of vice presidents, managers, nonmanagement users, and IT personnel. During the planning phase, four major activities are performed: (1) review and approve the project requests; (2) prioritize the project requests; (3) allocate resources such as money, people, and equipment to approved projects; and (4) form a project development team for each approved project. If the management receives several projects requests at the same time, the project requests should be prioritized. The projects that receive the highest priority are those mandated by management or some other governing body. These requests are given immediate attention. The steering committee evaluates the remaining project requests based on their value to the company. The steering committee approves some projects and rejects others. Of the approved projects, it is likely that only a Business Objective
Display products Provide product information (content) Personalize/customize product

System Functionality
Digital catalog Product database

Information Requirements
Dynamic text and graphics catalog Product description, stocking numbers, inventory levels Site log for every customer visit; data mining capability to identify common customer paths and appropriate responses Secure credit card clearing; multiple options

Customer on-site tracking

Execute a transaction payment Accumulate customer information Provide after-sale customer support Coordinate marketing/advertising

Shopping cart/payment system

Customer database

Name, address, phone, and e-mail; online customer registration Customer ID, product, date, shipping date, payment Site behavior log of prospects and customers linked to e-mail and banner ad campaigns

Sales database

Ad server, e-mail server, ad banner manager, campaign manager Site tracking and reporting system

Understand marketing effectiveness

Number of unique visitors, pages visited, products purchased, identified by marketing campaign Product and inventory levels, supplier ID and contact, order quantity data by product

Provide production and supplier links

Inventory management system

Figure 3-10 Business objectives, system functionality, and information requirements for a typical e-commerce system

54

few will begin their system development cycle immediately. Others will have to wait for additional funds or resources to become available.

3.3.3 Analysis Phase

This phase of the SDLC tries to answer the question, What do we want the system to do for our business? This phase identifies business objectives, system functionality, and information requirements. System functionalities are a list of the types of information systems capabilities you will need to achieve your business objectives. The information requirements for a system are the information elements that the system must produce in order to achieve the business objectives. You will need to provide these lists to system developers and programmers so they know what you as the manager expect them to do. The key here is to let the business decisions drive the technology, not the reverse. This will ensure that your technology platform is aligned with your business. Figure 3-10 shows an example that describes some basic business objectives, system functionalities, and information requirements for a typical e-commerce system. Once you have identified the business objectives and system functionalities, and have developed a list of information requirements, you can consider how all these functionalities will be delivered. System analysis is the analysis of the problem that the organization will try to solve with an information system. This analysis consists of two major tasks: (1) conduct a preliminary investigation and (2) perform a detailed analysis. Preliminary Investigation The preliminary investigation, also called the feasibility study, is a user-oriented overview of the proposed information system's purpose and feasibility. The purpose of the preliminary investigation is to define the problem or enhancement, identify its causes or sources, determine whether or not the problem or enhancement identified is worth pursuing, and determine whether that projects is feasible, or achievable, given the organization's resources and constraints. Should the company continue to assign resources to this project? To answer this question, the systems analyst conducts a general study of the project and presents his or her findings in a report. The most important aspect of the preliminary investigation is to define accurately the problem or enhancement. The perceived problem or enhancement identified in the project request may or may not be the actual problem. In other words, the actual problem may be different from the one suggested in the project request. For example, suppose the shipping department complains that the marketing department takes too long to send customer names and addresses. An investigation might reveal the marketing department is not the problem. The problem exists because the marketing department does not have instant access to the customer names and addresses. The preliminary investigation begins with an interview of the user who submitted the project request, and other users who will be affected by the project. In addition to interviewing, members of the project team may use other data gathering techniques. During the preliminary investigation, through examining documents and procedures, observing system operations, and interviewing key users, the development team can identify the problem area and objectives to be achieved by the solution. Upon completion of the preliminary investigation, the systems analyst writes the feasibility report that presents his/her findings and a recommendation to the steering committee. Feasibility is a measure of how suitable the development of a system will be to the company. A project that is feasible at one point of the system development cycle might become infeasible at a later point. Thus, system analysts frequently reevaluate feasibility during the system development cycle. A systems analyst typically uses the following four tests to evaluate feasibility to a project: 1) Technical Feasibility: whether the proposed information system can be implemented with the available hardware, software, technical resources, and human resource. 2) Economic Feasibility: whether the lifetime benefits of the proposed information system outweigh the lifetime costs. 3) Operational Feasibility: whether the proposed solution is desirable within the existing managerial and organizational framework and culture. Will the users like the new system? Will they use it? Will it meet their requirements? Will it cause any changes in their work environment? 4) Schedule Feasibility: whether the established deadlines for the project are reasonable. If a deadline is not reasonable, the project leader might make a schedule. If a deadline cannot be extended, then the scope of the project might be reduced to meet a mandatory deadline. Normally the feasibility study will identify several alternative solutions that can be pursued by the organization. The written feasibility report will assess the feasibility of each alternative, describe the costs and benefits, advantages and disadvantages of each alternative, and give a recommendation. However, it is up to the steering committee to determine which mix of costs, benefits, technical features, and organizational impacts represents the most desirable alternative.

55

In some cases, the project team may recommend not to continue the project. In other words, the team considers the project infeasible. If the steering committee agrees, the project ends at this point. If the project team recommends continuing and the steering committee approves this recommendation, however, then detailed analysis begins. Detailed Analysis The detailed analysis defines the specific information requirements that must be met by the system solution selected and develops a detailed description of the functions that the new system must perform. This analysis involves three major activities: (1) study the existing system in depth so you thoroughly understand the current operations, uncover all possible problems and enhancements, and determine the causes and effects of these problems or enhancements; (2) determine the user's requirements for the proposed system, which includes who needs what information, and when, where, and how the information is needed; and (3) present alternative solutions to Figure 3-11 The ERD shows the relationships among entities in a system the problem or enhancement and then recommend a proposed solution. Perhaps the most difficult task of the detailed analysis is to define the specific information requirements that must be met by the system. Faulty requirement analysis is a leading cause of system failure and high system development costs. An important benefit from studying the existing system and determining user requirements is that these activities build valuable relationships among the systems analyst and users. The systems analyst has much more credibility with users if he/she understands how the users currently perform their job responsibilities and respects their concerns. During the detailed analysis, systems analysts use all available data and information gathering techniques. They review documentation, observe employees and machines, distribute surveys, interview employees, and do research. While studying the current system and identifying user requirements, the systems analyst collects a great deal of data and information. A major task for the systems analyst is to document these findings in a way that can be understood by everyone. Both users and IT professionals refer to this documentation. An important benefit from these activities is that they build valuable relationships among the system analysts and users. Most system analysts use either a process modeling or object modeling approach to analysis and design. Process modeling is an analysis and design technique that describes processes that transform inputs into outputs. Tools that a systems analyst uses for process modeling include entity-relationship diagrams, data flow diagrams, and the project dictionary. An entity-relationship diagram (ERD) is a tool that graphically shows the connections among entities in a system. An entity is an object in the system that has data. Each relationship describes a connection between two entities. For example, in the ERD shown in Figure 3-11, a vendor supplies one or more computers. A customer may or may not use one of these computers. A customer may or may not place an order. Some customers may place multiple orders. Each order contains one or more items from the menu. It is important that the systems analyst reviews the ERD with the user. After users approve the ERD, the systems analyst identifies data items associated with an entity. For example, the VENDOR entity might have these data items: Vendor Number, Vendor Name, Address, City, State, Postal Code, Telephone Number, and E-mail Address. A data flow diagram (DFD) is a tool that graphically shows the flow of data in a system. The key elements of a DFD are the data flows, the processes, the data stores, and the sources (Figure 3-12). A data flow, indicated by a line with an arrow, shows the input or output of data or information into or out from a process. A Figure 3-12 The DFD shows the flow of data in a system process, which is drawn as a circle, transforms

56

an input data flow into an output data flow. A data store, shown as a rectangle with no sides, is a holding place for data and information. A source, drawn as a square, identifies an entity outside the scope of the system. Source sends data into the system or receives information from the system. Like ERDs, systems analysts often use EFDs to review processes with users. System analysts prepare DFDs on a level-bylevel basis. The top level, known as a context diagram, identifies only the major process. Lower-level add detail and definition to the higher levels, similar to zooming in on a computer screen. The lower levels contain sub-processes.

Figure 3-13 An example of structured English

Figure 3-14 An example of decision table

The project dictionary, sometimes called the repository, contains all the documentation and deliverables of a project. The project dictionary helps everyone keep track of the huge amount of details in a system. The dictionary explains every item found on DFDs an ERDs. Each process, data store, data flow, and source on every DFD has an entry in the project dictionary. Every entity on the ERD has an entry in the project dictionary. The dictionary also contains an entry for each data item associated with the entities. The number of entries added to the dictionary at this point can be enormous. As you might imagine, this activity requires a huge amount of time. The system analyst uses a variety of techniques to enter these items in the project dictionary. Some of these include

structured English, decision tables, decision trees, and the data dictionary. Structured English is a style of writing that describes the steps in a process. Many systems analysts use structured English to explain the details of a process. Figure 3-13 shows an example of structured English that describes the process of uploading vendor information. Sometimes, a process consists of many conditions or rules. In this case, the systems analyst may use a decision table or decision tree instead of structured English. A decision table is a table that lists a variety of conditions and the actions that correspond to each condition. A decision tree also shows conditions and actions, but it shows them graphically. Figure 3-14 and 3-15 show a decision table and decision tree for the same process: determining whether a vendor is approved. Each data item has an entry in the data dictionary section of the project dictionary (Figure 3-16). The data dictionary stores the data item's name, description, and other details about each data item. The systems analyst creates the data dictionary during detailed analysis. In later phases of the system development cycle, the systems analyst refers to and updates the data dictionary. Another approach systems analysts can use is the object modeling, sometimes called objectoriented (OO) analysis and design, which combines the data with the processes that act on that data into a single unit, called an object. An object is an item that can contain both data and the procedures that read or manipulate that data. For example, a Customer object might contain Figure 3-15 An example of decision tree data about a customer (Customer ID, First Name, Last Name, Address, and so on) and instructions

57

about how to print a customer's record or the formula required to compute a customer's amount due. Each data element is called an attribute or property. The procedure in the object, called an operation or method, contains activities that read and manipulate the data. Object modeling can use the same tools as those used in process modeling. Many systems analysts, however, choose to use tools defined in the UML (Unified Modeling Language). Although used in all types of business modeling, the UML has been adopted as a standard notation for object modeling and development. The UML is a graphical tool that enables analysts to document a system. It consists of many interrelated diagrams. Each diagram conveys a view of the systems. The latest UML tool includes 13 different diagrams to assist the analyst in modeling the system. Two of the more common diagrams are the use case diagram and class diagram. Figure 3-16 An example of data dictionary A use case diagram graphically shows how actors (a user or other entity) interact with the information system (Figure 3-17). The function that the actor can perform is called the use case. A class diagram graphically shows classes and subclasses in a system (Figure 3-18). On a class diagram, objects are grouped into classes. Each class can have one or more lower levels called subclasses. Each subclass inherits the methods and attributes of the objects in its higherlevel class. Every object in a class shares methods and attributes that are part of its higher-level class. This concept of lower levels inheriting methods and attributes of higher levels is called inheritance.

Figure 3-17 An example of use case diagram

The System Proposal After having studied the current system and determined all user requirements, the systems analyst communicates possible solutions for the project in a system proposal. The purpose of the system proposal is to assess the feasibility of each alternative solution and then recommend the most feasible solution for the project. The systems analyst presents the system proposal to the steering committee. If the steering committee approves a solution, the project enters the design phase. When the steering committee discusses the system proposal and decides which alternative to pursue, it often is deciding whether to buy packaged software from an outside source, build its own custom software, or outsource some or all of its IT needs to an outside firm. Packaged software is mass-produced, copyrighted, prewritten software available for purchase. Vendors offer two types of packaged software: horizontal and vertical. Horizontal market software meets the

Figure 3-18 An example of class diagram

58

needs of many different types of companies. If a company has a unique way of accomplishing activities, then it also ma require vertical market software. Vertical market software specifically is designed for a particular business or industry. Horizontal market software tends to be more widely available and less expensive than vertical market software. You can search for vertical and horizontal market software on the Web. Instead of buying packaged software, some companies write their own applications. Application software developed by the user or at the user's request is called custom software. The main advantage of custom software is that it matches the company's requirements exactly. The disadvantages usually are that it is more expensive and takes longer to design and implement than packaged software. Companies can develop custom software in-house using their own IT personnel or outsource it, which means having an outside source develop it for them. Some companies outsource just the software development aspect of their IT operation. Others outsource more or all of their IT operation. Depending on a company's needs, outside firms can handle as much of the IT requirements as desired. Some provide hardware and software. Others provide services such as Web design and

Web Site Customer

HTTP request

Verify Login

Customer information Customer Database

Accept/reject visitor

Order shipped conformed Fulfill order

Display Catalog Pages

Catalog Database

Ship Products

Purchase Products

Order Database

Figure 3-19 A logical design for a simple Web site

T1/Cable/DSL/56 KB modem

T1 Verizon line at 1.54 Mbps

IBM eServer xSeries 336 Web server with two Intel Xeon processors and 300 GB storage

Oracle SQL database IBM WebSphere ecommerce suite Ad server Online catalog Mail server

Customer

Internet

Your Firms Web Server

Shopping cart Software

Figure 3-20 A physical design for a simple Web site

59

development, Web hosting, sales, marketing, billing, customer service, and legal assistance. A trend that has caused much controversy relates to companies that outsource to firms located outside their homeland.

3.3.4 Design Phase

Information analysis describes what an information system should do to meet information requirements, while information systems design shows how the system will fulfill this objective. The design of an information system is the overall plan or model for that system, which consists of all the specifications that give the system its form and structure. You must have a system design specification--a description of the main components in the system and their relationship to one another. These specifications should address all of the managerial, organizational, and technological components of the system solution. The design phase consists of two major activities: logical design and physical design. Logical design lays out the logical model that describes the components of the system and their relationship to each other as they would appear to the users. It describes inputs and outputs, processing functions to be performed, business procedures, data models and controls. Controls specify standards for acceptable performance and methods for measuring actual performance in relation to these standards. A logical design usually is a data flow diagram. Figure 3-19 shows an example of local design for a very basic Web site. After the systems analyst identifies the data and process requirements, the next step is to develop detailed specifications for the components in the proposed solutions. A detailed design sometimes is called a physical design. Physical design is the process of translating the abstract logical design into physical components--specific model of computers to be purchased, software to be used, the size of the telecommunications link that will be required, the way the system will be backed, and security procedures. It produces the specifications for hardware, software, physical databases, input/output media and format, networking, manual procedures, and specific controls. Physical design develops all of the details of the information system to be implemented with respect to functionality, features, and performance. To obtain these specifications, the systems analyst researches using a variety of techniques such as talking with other analysts, visiting vendor's stores, surfing the Web, and reviewing written technical materials. Many trade journals, newspapers, and magazines provide some or all of their printed content as e-zines. An e-zine, or electronic magazine, is a publication available on the Web. Figure 3-20 shows the physical design of the logical model shown in Figure 3-19. During database design, the system analyst builds upon the data dictionary developed during the analysis phase. The systems analyst works closely with the database analysts and database administrators to identify those data elements that currently exist within the company and those that are new. With relational Figure 3-21 This input screen is a mockup for users to review and approval database systems, the systems analyst defines the structure of each table in the system, as well as relationships among the tables. The systems analyst also addresses user access privileges. That is, the systems analyst defines which data elements each user can access, when they can access the data elements, what actions they can perform on the data elements, and under what circumstances they can access the elements. The result of database design is called a data model. During the input and output design, the systems analyst carefully designs every menu, screen, and report specified in the requirements. The outputs often are designed first because they help define the Figure 3-22 The layout chart for the mockup in Figure 3-21 requirements for the inputs. Thus, it is

60

very important that outputs are identified correctly and that users agree to them. The systems analyst typically develops two types of designs for each input and output: a mockup and a layout chart. A mockup is a sample of the input or output that contains actual data (Figure 3-21). The systems analyst shows mockups to users for their approval. Because users will work with the inputs and outputs of the system, it is crucial to involve users during input and output design. After users approve the mockup, the systems analyst develops a layout chart for the programmer. A layout chart is more technical and contains programming-like notations for the data items (Figure 3-22). Other issues that must be addressed during input and output design include the types of media to use (paper, video, audio); formats (graphical or narrative); and data entry validation techniques, which make sure the entered data is correct. During program design, the systems analyst prepares the program specification package, which identifies the required programs and the relationship among each program, as well as the input, output, and database specifications. Many people should review the detailed design specifications before they are given to the programming team. Reviewers should include users, systems analysts, managers, IT staff, and members of the system development team. One popular review technique is an inspection. An inspection is a formal review of any system development cycle deliverable. A team of four or five people examines the deliverables, such as reports, diagrams, mockups, layout charts, and dictionary entries. The purpose of an inspection is to identify errors in the item being inspected. Any identified errors are summarized in a report so they can be addressed and corrected. One again, the systems analyst reevaluates feasibility to determine if it still beneficial to proceed with the proposed solution. If the steering committee decides the project still is feasible, which usually is the case, the project enters the implementation phase.

3.3.5 Implementation Phase

When you have both the logical and physical designs for your system, you can begin considering how to actually build the system. The implementation phase converts the system specifications established during systems analysis and design phases into a fully operational information system. The purpose of this phase is to construct the new or enhanced system and then deliver it to the users. Five major activities are performed in this phase: (1) acquire necessary hardware and software; (2) develop computer programs if necessary; (3) install and test the new system; (4) train and educate users; and (5) convert to the new system. According to the specifications in the system design, the system analyst sends either a request for quotation or a request for proposal to prospective hardware and software vendors. A request for quotation (RFQ) is used when you know which products you want. The vendor quotes prices for the specified products. A request for proposal (RFP) is used when you want the vendor to select the products that meets your requirements and them quote the prices. Systems analysts have a variety of ways to locate vendors. Many publish their product catalogs on the Web. These online catalogs provide up-to-date information on and easy access to products, prices, technical specifications, and ordering information. Another source for hardware and software products is a value-added reseller. A value-added reseller (VAR) is a company that purchases products from manufacturers and then resells these products to the public--offering additional services with the product. Examples of additional services include user support, equipment maintenance, training, installation, and warranties. Instead of using vendors, some companies hire IT consultants; that is, they outsource this task. An IT consultant is a professional who is hired based on computer expertise, including service and advice. IT consultants often specialize in configuring hardware and software for businesses of all sizes. After you receive completed quotations and proposals from the potential vendors, you must evaluate vendor proposals and then select the best one. It is a difficult task. It is important to be as objective as possible while evaluating each proposal. A popular technique is to establish a scoring system that you can use to rate each proposal. System analysts use many techniques to test the various software products from vendors. They obtain a list of user references from the software vendors. They also talk to current users of the software to solicit their opinions. Some vendors will give a demonstration of the product specified. Other vendors provide demonstration copies to test the software themselves. Demonstration copies usually are free and have limited functionality. Trial versions are free or have minimal fees and provide full functionality for a set time. In some cases, the demonstration copies and trial versions are available to download from the Web. Sometimes it is important to know whether the software can process a certain volume of transactions efficiently. In this case, the systems analyst conducts a benchmark test. A benchmark test measures the performance of hardware or software. For example, a benchmark test could measure the time it takes a billing program to print 50 billing statements. Some computer magazines conduct benchmark tests while evaluating hardware and software and then publish these results for consumers to review. Having rated the proposals, the systems analyst presents a recommendation to the steering committee. The recommendation could be to award a contract to a vendor or to not make any purchases at this time. If the project development team decides to write custom software, instead of purchasing packaged software, then the programmers will develop programs from the program specification package created during analysis and design. It is here, called

61

programming, that system specifications are translated into program code, the actual instructions for the machine. Like the system development life cycle, program development also follows an organized set of activities, called program development life cycle (PDLC). The PDLC follows six steps: (1) analyze the requirements, (2) design the solution, (3) validate the design, (4) implement the design, (5) test the solution, and (6) document the solution. Chapter 14 explains the program development cycle in depth. If new hardware was acquired, the hardware must be installed and tested at this point. Both packaged software and custom software programs have to install on the hardware. It is extremely important that the hardware and software be tested thoroughly. Inadequate system testing will lead to serious problems or even disaster to the organization. Just as you test individual programs, you must test the entire information system to ensure that the programs and hardware operate together to accomplish the desired functions. System tests frequently uncover inconsistencies among programs as well as inconsistencies in the original hardware or software specification. It is better to find errors so you can correct them before putting the system into production; that is delivering it to the users. Testing an information system can be broken down into four types of activities: 1. 2. 3. 4. Unit Testing: test each program separately in the system. The purpose of such testing is to guarantee that programs are error-free. System Testing: test the functioning of the information system as a whole and verify that all programs in the system work together properly. Integration Testing: verify that the information system works well with other systems. Acceptance Testing: provide the final certification that the system is ready to be used in a production setting. System tests are evaluated by users and reviewed by management. When all parties are satisfied that the new system meets their standards, the system is formally accepted for the conversion.

According to a recent study, poor user training is one of the top ten reasons why system development projects fail. For an information system to be effective, users must be trained properly on its functionality. They must be trained on how to use both the hardware and the software. Users must be trained properly on a system's functionality. Training is the process of ensuring that system users know what they need to know about both the work system and the information system. Training shows the users exactly how they will use the new hardware and software in the system. Training may take place as classroom-style lectures or Web-based training that is a self-directed, self-paced online instruction method. The training format depends on user backgrounds and the purpose and features of both work system and the information system. Companies can also provide education to the users. Education is the process of learning new principles or theories that help users understand the system. For example, many companies do their businesses electronically. In this case, employees need to be educated on the concepts and practices of E-commerce. The final implementation activity is to change from the old system to the new system. This process is called conversion. This conversion can take place using one or more of the following conversion strategies (Figure 3-23): Direct cutover strategy: With direct cutover strategy, users stop using the old system and begin using the new system on a certain date. The advantage of this strategy is that it requires no transition costs and is a quick implementation technique. The disadvantage is that it is extremely risk and can disrupt operations seriTime ously if the new system does not work corDirect rectly, since there is no other system to fall Old system New system Conversion back on. Parallel Parallel strategy: Both the old system and its Old system Conversion potential replacement are running together for New system a specified time period until it is assured that the new one functions correctly. The advantage of this strategy is that any problems with Phased the new system can be solved before the old Old system New system Conversion system is terminated. The disadvantage is that it is very expensive since additional staff or resources may be required to run the extra system. Old system New system Phased strategy: This strategy introduces the Pilot new system in stages, either by functions or by Old system New system Conversion organizational units. Each function or organNew system izational unit is converted separately at different times using either a direct cutover or paralFigure 3-23 System conversion strategies lel conversion. This strategy is often used with

62

larger systems that are split into individual sites. Pilot strategy: This strategy introduces the new system to only a limited area of the organization, such as a single department or operating unit. When this pilot version is complete and working smoothly and correctly, it is installed throughout the rest of the organization, using one of the aforementioned conversion strategies.

3.3.6 Operation and Maintenance Phase

After the new system is installed and conversion is complete, the system is said to be in production or operation. The information systems specialists maintain the information system and provide its users with ongoing assistance during its operation period. This phase consists of four major activities: (1) conducting a post-implementation system review; (2) correcting errors; (3) identifying enhancements; and (4) monitoring system performance. One of the first activities the company performs is to meet with users. The purpose of this meeting, called the postimplementation system review, is to discover whether the information system is performing according to the users' expectations. Both users and technical specialists will review the information system to determine how well it has met its original objectives and to decide whether any revisions or modifications are in order. If the system is not meeting the users' expectations, the systems analyst must determine what must be done to satisfy the users--back to the planning phase. Sometimes users identify errors in the system when the program does not produce correct results. Problems with design (logic) usually are the cause of these errors. For example, the total of a column might be incorrect on a daily order summary. These types of errors require investigation--back to the planning phase. If the users would like the system to do more, that is, they have additional requirements, the system analyst must decide how to enhance the existing system to satisfy the users. System enhancement involves modifying or expanding an existing information system--back to the planning phase. The system analyst monitors the system to determine if the system is inefficient at any point and if the inefficiency is causing a problem. Changes in hardware, software, documentation, or procedures to an existing system to correct errors, meet new requirements, or improve processing efficiency means that we begin planning all over again. Thus, the loop forms in the system development life cycle.

3.3.7 CASE Tools

Many systems analysts use computer software to assist in the system development cycle. Computer-aided software engineering (CASE) software tools are designed to support a variety of activities of the system development cycle. CASE tools typically include diagrams to support both process and object modeling. CASE tools automate the methodologies we have just described to reduce the amount of repetitive work in system development. Some CASE tools exist separately. One program might be a dictionary and another might allow you to create drawings. The most effective tools are integrated (see Figure 3-24). The purpose of these tools is to increase the efficiency and productivity of the project development team. Usually an integrated CASE product includes the following capabilities:

Figure 3-24 Case tools can assist system developers in their development processes

Graphicsenables the drawing of diagrams. Modelingcreates models of the proposed system. Code Generatorscreate actual computer programs from design specifications.

63

Project Repositorystores diagrams, specifications, descriptions, programs, and any other deliverable generated during the system development cycle. Quality Assuranceanalyzes deliverables, such as graphs and the data dictionary for accuracy. Housekeepingestablishes user accounts and provides backup and recovery functions.

3.4

Alternative System Development Approaches

Systems differ in terms of their size and technological complexity, and in terms of the organizational problems they are meant to solve. Because there are different kinds of systems, a number of methods have been developed to build systems. This sections describes these other alternative methods: prototyping, application software packages, end-user development, JAD/RAD, and outsourcing.

3.4.1 Prototyping
A major problem with the traditional SDLC is that the user does not use the solution until the system is nearly complete. The traditional approach is also inflexible -- changes in user requirements cannot be accommodated during development. One of alternative approaches to system development is the prototyping. Prototyping takes an iterative approach to the systems development process. During each iteration, requirements and alternative solutions to the problem are identified and analyzed, new solutions are designed, and a portion of the system is implemented. Users are then encouraged to try the prototype and provide feedback. The prototype is a working version of an information system or part of the system, but it meant to be only a preliminary model. During the development process, the prototype will be further refined until it conforms precisely to users' requirements. For many applications, a prototype will be extended and enhanced many times before a final design is accepted. Once the design has been finalized, the prototype can be converted to a polished production system. Prototyping is less formal than the development life cycle method. Instead of generating detailed specifications and signoff documents, prototyping quickly generates a working model of a system. Requirements are determined dynamically as the prototype is constructed. Systems analysis, design, and implementation all take place at the same time. The process of building a preliminary design, trying it out, refining it, and trying again has been called an iterative process of systems development because the steps required to build a system can be repeated over and over again. Figure 3-25 shows a model of the prototyping process. Prototyping process consists of the following steps: 1. Determine requirements: The system developer works with users to identify the users' basic information needs. Develop a working prototype: The system developer creates a preliminary model of a major subsystem or a scaled-down version of the entire system. Use the prototype: The developer let users work with the working prototype to determine how well the prototype meets their needs and to make suggestions for improving the prototype. Revise and enhance the prototype: The developer refines the prototype according to the users' requests. After the prototype has been revised, the cycle returns to step 3. The steps 3 and 4 are repeated until the user is satisfied. When no more iteration is required, the approved prototype then becomes an operational system.
Determine requirements

2.

3.

Develop a working prototype

4.

Use the prototype

User satisfied?

Yes

Operational system

Prototyping is most useful when there is some uncertainty about requirements or design solutions. Requirements may be difficult to specify in advance or they may change substantially as implementation progresses. This is particularly true of decision-oriented applications, where requirements tend to be very vague. Prototyping is also valuable for the design of the end-user interface of an information system (the part of the system that end users interact with, such as online display and data entry

No Revise the prototype

Figure 3-25 Prototyping process

64

screens, reports, or Web pages). User needs and behaviors are not entirely predictable and are strongly dependent on the context of the situation. Because prototyping encourages intense end-user involvement throughout the systems development process, it is more likely to produce systems that fulfill user requirements. However, rapid prototyping can gloss over essential steps in systems development. If the completed prototype works reasonably well, management may not see the need for reprogramming, redesign, or full documentation and testing to build a polished production system. Some of these hastily constructed systems may not easily accommodate large quantities of data or a large number of users in a production environment.

3.4.2 Application Software Packages

Information systems can be built using software from application software packages. There are many applications that are common to all business organizations--for example, payroll accounts receivable, general ledger, or inventory control. For such universal functions with standard processes that do not change a great deal over time, a generalized system will fulfill the requirements of many organizations. If a software package can fulfill all of an organization's requirements, the company does not have to write its own software. The company can save time and money by using the prewritten, predesigned, pretested software programs from the package. Package vendors supply much of the ongoing maintenance and support for the system, including enhancements to keep the system in line with ongoing technical and business developments. If an organization has unique requirements that the package does not address, many packages include capabilities for customization. Customization features allow a software package to be modified to meet an organization's unique requirements without destroying the integrity of the package software. If a great deal of customization is required, additional programming and customization work may become so expensive and time consuming that they eliminate many of the advantages of software packages. When a system is developed using an application software package, system analysis will include a package evaluation effort. The most important evaluation criteria are the functions provided by the package, flexibility, user-friendliness, hardware and software resources, database requirements, installation and maintenance effort, documentation, vendor quality, and cost. The package evaluation process often is based on a Request for Proposal (REP). When a software package solution is selected, the organization no longer has total control over the system design process. Instead of tailoring the system design specifications directly to user requirements, the design effort will consist of trying to mold user requirements to conform to the features of the package. If the organization's requirements conflict with the way the package works and the package cannot be customized, the organization will have to adapt to the package and change its procedures. Even if the organization's business processes seem compatible with those supported by a a software package, the package may be too constraining if these business processes are continually changing. A new company that was just being set up could adopt the business processes and information flows provided by the package as its own business processes. But organizations that have been in existence for some time may not be able to easily change the way they work to conform to the package.

3.4.3 End-User Development

One of the most difficult steps in creating any new system is determining the user requirements. What does the system need to do and how will it work? This step is crucial. If the designers make a mistake here, the system will either be useless or will need expensive modifications later. SDLC and prototyping take different approaches to this problem. With SDLC, analysts talk with users and write reports that describe how the system will operate. User examines the reports and makes changes. This approach is time consuming and difficult for users because they only see paper notes of the proposed system. Prototyping overcomes some of the problems by letting users work with actual screens and reports. But use of prototyping is hard to expand beyond one or two users. Designing and developing systems is much easier if the entire system can be built by one person. In fact, that is one of the strengths of recent tools -- they enable a single person to build more complex systems. The term end-user development simply means that users do all of the development work themselves. Using fourth-generation languages, graphics languages, and PC software tools, end users can access data, create reports, build business models, and develop entire information systems on their own, with little or no help from professional systems analysts or programmers. Many of these end-user developed systems can be created much more rapidly than the traditional systems life cycle. Clearly the main advantage is that users get what they want without waiting for an IS team and without the difficulty of trying to describe the business problems to someone else. Two basic reasons explain why end-user development is increasingly popular. First, most IS teams are facing a two- or threeyear backlog of projects. That means that if you bring a new project to the IS team, the designers will not even start on it for at least two years. The second reason is that software tools are getting more powerful and easier to use at the same time. Today, it is possible for managers to create a business model and solve a business problem with a spreadsheet in a few hours that 10

65

years ago would have taken IS programmers a month to build with third-generation languages. As tools become more powerful and more integrated, it becomes possible to create even more complex systems. Many organizations have reported gains in application development productivity by using end-user computing approach that in a few cases have reached 300 to 500 percent. Allowing users to specify their own business needs improves requirements gathering and often leads to higher level of user involvement and satisfaction with the system. However, end-user computing still cannot replace conventional methods for some business applications because the end users cannot easily handle the complexity of large transactions or applications with extensive procedural logic and updating requirements. The potential problems of end-user development are not always easy to see. Most of them arise from the fact that users generally lack the training an experience of systems analysts and programmers. For instance, systems produced by end users tend to be written for only one person to use. They are oriented to working on stand-alone personal computers. The systems are often customized to fit the needs of the original users. The systems lack security controls and are hard to modify. Other problems stem from the bottom-up approach inherent in end-user development. People in different areas of the company will wind up working on the same problem, when it could have been solved once by IS teams. Data tends to be scattered throughout the company, making it hard to share and wasting space. Not following standards generates incompatibilities among systems, making it difficult to combine systems created by different departments or even by people within the same department. The end-user computing poses organizational risks because it occurs outside of traditional mechanisms for information system management and control. When systems are created rapidly, without a formal development methodology, testing and documentation may be inadequate. Control over data can be in systems outside the traditional information systems department. The last, and possibly most import, complication is that end-user development takes time away from the user's job. Some users spend months creating and modifying systems that might have been created by IS programmers in a fraction of the time. One of the reasons for creating an IS department is to gain efficiency from using specialists. To help organizations maximize the benefits of end-user applications development, management should control the development of end-user applications by requiring cost justification of end-user information system projects and by establishing hardware, software, and quality standards for user-developed applications. Some organizations use information centers to promote standards for hardware and software so that end users could not introduce many disparate and incompatible technologies into the firm. Information centers are special facilities housing hardware, software, ad technical specialists to supply end users with tools, training, and expert advice so they can create information system applications on their won or increase their productivity. The role of information centers is diminishing as end-users become more computer literate, but organizations still need to closely monitor and manage end-user development.

3.4.4 Developing Systems with Teams: JAD and RAD

Many information systems, especially those that affect the entire organization, require teams of IS workers. As soon as multiple designers, analysts, and programmers are involved, we encounter management and communication problems. MIS researchers have measured the effects of these problems. For example, one study by Jones showed that team activities accounted for 85 percent of the development costs. These seem to be substantial areas for improvement in systems development by focusing on teamwork. A technique known as joint application design (JAD) was created to accelerate the generation of information requirements and to develop the initial systems design. With JAD the main system is designed in an intense three- to five-day workshop. Users, managers, and systems analysts participate in a series of intense meetings to design the inputs and outputs needed by the new system. By putting all of the decision makers in one room at the same time, conflicts are identified and resolved faster. Users and managers gain a better understanding of the problems and limitations of technology. The resulting system has greater value for users and managers because it more closely matches their needs. There is less need for changes later, when they become more expensive, so the system is cheaper to create. Properly prepared and facilitated, JAD sessions can significantly speed the design phase while involving users at an intense level. The biggest drawback to JAD is that it requires getting everyone together at the same time for an expended period of time. Even for moderately complex system, the meetings can run eight hours a day for three to five days. Most managers and users find it difficult to be away from their jobs for that length of time. Higher-level managers are also needed at these meetings to ensure the system provides the appropriate reports and information. Finally, the meetings can only succeed if they are led by a trained facilitator. The facilitator keeps the discussions moving in the right direction, minimizes conflicts, and encourages everyone to participate. At the end of the sessions, the systems development team should have a complete description of the proposed system. By providing advanced development tools, pre-built objects, and collaboration tools, some companies have found it is possible to reduce the overall development time. The key is to target steps that can overlap and be performed by multiple teams. By improving the collaboration tools, more steps can be compressed. Many e-commerce projects were developed with rapid application development (RAD) techniques. RAD is used to describe the process of creating workable systems in a very short

66

period of time. RAD can include the use of visual programming and other tools for building graphical user interfaces, iterative prototyping of key system elements, the automation of program code generation, and close teamwork among end users and information systems specialists. RAD applies the value of teamwork to the developers. Firms are concerned about being the first in the market and feel they need to develop software rapidly. Systems often can be assembled from pre-built components. The process does not have to be sequential, and key parts of development can occur simultaneously. The techniques of using small groups of programmers using advanced tools, collaboration, and intense programming sessions was relatively successful at quickly producing thousands of new applications.

3.4.5 Outsourcing
If a firm does not want to use its internal Mixed Responsibility Completely Outsource resources to build or operate information Build: in-house Build: outsource Host: outsource systems, it can hire an external organization Host: outsource that specializes in providing these services to do the work. The process of turning over Completely In-house Mixed Responsibility an organization's computer center operations, Build: in-house Build: outsource telecommunications networks, or applicaHost: in-house Host: in-house tions development to external vendors is called outsourcing. The application service In-house Outsource providers (ASPs) are one form of outsourcBuilding the System ing. Subscribing companies would use the Figure 3-26 Choices in building and hosting the system software and computer hardware provided by the ASP as the technical platform for their system. In another form of outsourcing, a company would hire an external vendor to design and create the software for its system, but that company would operate the system on its own computer. Figure 3-26 illustrates the alternatives. Outsourcing has become popular because some organizations perceive it as more cost effective than maintaining their own computer center or information systems staff. The provider of outsourcing services benefits from economies of scale (the same knowledge, skills, and capacity can be shared with many different customers) and is likely to charge competitive prices for information systems services. Outsourcing allows a company with fluctuating needs for computer processing to pay for only what it uses rather than to build its own computer center, which would be underutilized when there is no peak load. Some firms outsource because their internal information systems staff cannot keep pace with technological change or innovative business practices or because they want to free up scarce and costly talent for activities with higher payback. Not all organizations benefit from outsourcing, and the disadvantages of outsourcing can create serious problems for organizations if they are not well understood and managed. Many firms underestimate costs for identifying and evaluating vendors of information technology services, for transitioning to a new vendor, and for monitoring vendors to make sure they are fulfilling their contractual obligations. These "hidden costs" can easily undercut anticipated benefits from outsourcing. When a firm allocates the responsibility for developing and operating its information systems to another organization, it can lose control over its information systems function. If the organization lacks the expertise to negotiate a sound contract, the firm's dependency on the vendor could result in high costs or loss of control over technological direction. Firms should be especially cautious when using an outsourcer to develop or to operate applications that give it some type of competitive advantage.
Hosting the System Outsource In-house

3.4.6 Summary
Increasingly, companies are converting at least some portion of their business to run over the Internet, intranets, or extranets. An important trend in systems development is that business applications are been moving to the Internet to support selling products to customers, placing orders with suppliers, and letting customers and/or suppliers access information about production, inventory, orders, or accounts receivable. Internet technology provides a platform for applications that enables companies to extend their transaction processing systems beyond the boundaries of the organization to their customers, suppliers, and partners. This enables companies to conduct business much faster, interact with more people, and try to keep one step ahead of the competition. Building a dynamic core business application that runs over the Web is much more complicated. Such applications must meet special business needs. They must be able to scale up to support highly variable transaction throughput from potentially thousands of users. Ideally, they can scale up instantly when needed. They must be reliable and fault tolerant, providing continuous availability while processing all transactions accurately. They must also integrate with existing infrastructure,

67

Approach Systems life cycle

Features

Advantages Necessary for large complex systems and projects

Disadvantages Slow and expensive Discourages changes Massive paperwork to manage

Sequential step-by-step
formal process Written specification and approvals limited role of users

Prototyping

Requirements specified
dynamically with experimental system Rapid, informal, and iterative process Users continually interact with the prototype

Rapid and relatively inexpensive Useful when requirements uncertain or when end-user interface is very important Promotes user participation

Inappropriate for large,

complex systems

Can gloss over steps in

analysis, documentation, and testing

Applications software package

Commercial software eliminates need for internally developed software programs

Design, programming, installation, and maintenance work reduced Can save time and cost when developing common business applications Reduces need for internal information systems resources

May not meet organization's unique requirements May not perform many business functions well Extensive customization raises development costs

End-user computing

Systems created by end

users using forthgeneration software tools Rapid and informal Minimal role of information systems specialists Systems built and sometimes operated by external vendor

User control systemsbuilding Saves development time and cost Reduces application backlog

Can lead to proliferation of uncontrolled information systems and data Systems do not always meet quality assurance standards Loss of control over the information systems function Dependence on the technical direction and prosperity of external vendors

Outsourcing

Can reduce or control costs Can produce systems when internal resources are not available or technically deficient

Figure 3-27 Advantages and disadvantages of system-building methods

including customer and order databases, existing applications, and enterprise resource planning systems. Development and maintenance must be quick and easy, as business needs may require changing applications on the fly. In the digital firm environment, organizations need to be able to add, change, and retire their technology capabilities very rapidly. Companies are adopting shorter, more informal development processes for many of their e-commerce and e-business applications, processes that provide fast solutions that do not disrupt their core transaction processing systems and organizational databases. They are relying more heavily on fast-cycle techniques such as JAD, prototypes, and reusable standardized software components that can be assembled into a complete set of services for e-commerce and e-business. In summary, systems development can be a difficult task. Many projects have failed because they cost much more than anticipated or they did not produce useful systems. All development methods introduced in this chapter involve five basic steps: feasibility and planning, systems analysis, design, implementation, and maintenance. Prototyping and end-user development typically focus on the design stage. However, managers need to remember that implementation problems can arise with any new system, regardless of how it was created. The following table compares the advantages and disadvantages of each of the system-building alternatives.

68

3.5 Information Systems Management

3.5.1 Understanding Ethical and Social Issues Related to Systems
Ethical, social, and political issues are closely linked. The ethical dilemma you may face as a manager or user of information systems typically is reflected in social and political debated. The major ethical, social, and political issues raised by information systems include the following moral dimensions: Information rights and obligations: What information rights do individuals and organizations possess with respect to themselves? What can they protect? What obligations do individuals and organizations have concerning this information? Privacy is the claim of individuals to be left alone. Information technology and systems threaten individual claims to privacy by making the invasion of privacy cheap, profitable, and effective. Property rights and obligations: How will traditional intellectual property rights be protected in a digital society in which tracing and accounting for ownership are difficult and ignoring such property rights is so easy? Contemporary information systems have severely challenged existing law and social practices that protect private intellectual property. Digital media differ from book, periodicals, and other media in terms of ease of replication; ease of transmission; ease of alteration; difficulty in classifying a software work as a program, book, or even music; compactnessmaking theft easy; and difficulties in establishing uniqueness. Accountability and control: Who can and will be held accountable and liable for the harm done to individual and collective information and property rights? New information technologies are challenging existing liability law and social practices for holding individuals and institutions accountable. For example, if you outsource your information processing, can you hold the external vendor liable for injuries done to your customers? System quality: What standards of data and system quality should we demand to protect individual rights and the safety of society? What is an acceptable, technologically feasible level of system quality? Some system errors are foreseeable and correctable only at very great expanse, an expense so great that pursuing this level of perfection is not feasible economically. Today, our businesses, governments, schools, and private associations, such as churches, are incredibly dependent on information systems and are, therefore, highly vulnerable if these systems fail. Quality of Life: What value should be preserved in an information- and knowledge-based society? Which institutions should we protect from violation? Which cultural values and practices are supported by the new information technology? The negative social costs of introducing information technologies and systems are beginning to mount along with the power of the technology. Computers and information technologies potentially can destroy valuable elements of our culture and society even while they bring us benefits. If there is a balance of good and bad consequences of using information systems, who do we hold responsible for the bad consequences?

Ethics is a concern of humans who have freedom of choice. Ethics is about individual choice: when we faced with alternative courses of action, what is the correct moral choice? Ethical choices are decisions made by individuals who are responsible for the consequences of their actions. Information technologies are filtered through social institutions, organizations, and individuals. Systems do not have impacts by themselves. Whatever information system impact exist are products of institutional, organizational, and individual actions and behaviors. The responsibility for the consequences of technology falls clearly on the institutions, organizations, and individuals who choose to use the technology. Using information technology in a socially responsible manner means that you can and will be held accountable for the consequences of your actions. Intellectual Intangible creative work that is embodied in Technology poses new challenges for our ethicsthe physical form. Property principles and standards that guide our behavior toward other people. Figure 3-28 summaries the concepts, terms, The legal protection afforded an expression of Copyright and ethical issues stemming from advances in technology. an idea, such as a song, video game, and Individuals determine how to use information and how some types of proprietary documents. information affects them. How individuals behave toward each other, how they handle information and technology, Fair Use In certain situations, it is legal to use copyare largely influenced by their ethics. Ethical dilemmas righted material. Doctrine usually arise not in simple, clear-cut situations but out of a clash between competing goals, responsibilities, and Pirated The unauthorized use, duplication, distribuloyalties. Some examples of ethically questionable or tion, or sale of copyrighted software. software unacceptable uses of information technology include: 1. 2. Individuals copy, use, and distribute software Employees search organizational databases for sensitive corporate and personal information
Counterfeit software Software that is manufactured to look like the real thing and sold as such.

Figure 3-28 Technology-related ethical issues

69

3. 4. 5. 6.

Organizations collect, buy, and use information without checking the validity or accuracy of the information Individuals create and spread viruses that cause trouble for those using and maintaining IT systems. Individuals hack into computer systems to steal proprietary information Employees destroy or steal proprietary organization information such as schematics, sketches, customer lists, and reports.

Privacy is one of the largest ethical issues organizations. Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. Privacy is related to confidentiality, which is the assurance that messages and information are available only to those who are authorized to view them. Some of the most problematic decisions facing organizations lie in the murky and turbulent waters of privacy. The burden comes from the knowledge that each time employees makes a decision regarding issues of privacy, the outcome could potentially sink the company. Trust between companies, customers, partners, and suppliers is the support structure of e-business. Privacy is one of the main ingredients in trust. Privacy continues to be one of the primary barriers to the growth of e-business. Information has no ethics. Information does not cre how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls on the shoulders of those who own the information to develop ethical guidelines on how to manage the information. Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, personnel procedures, and organizational rules for information. These policies set employee expectations about the organizations practices and standards and protect the organization from misuse of computer systems and IT resources. These policies address the ethical use of computers and Internet usage in the business environment. These policies typically embody the following: 1. 2. 3. 4. 5. 6. Ethical computer use policy: General principles to guide computer user behavior. Information privacy policy: General principles regarding information privacy. Acceptable use policy: A policy that a user must agree to follow in order to be provided access to a network or to the Internet. E-mail privacy policy: Details on the extent to which e-mail messages may be read by others. Internet use policy: General principles to guide the proper use of the Internet. Anti-spam policy: the policy states that e-mail users will not send unsolicited e-mails (or spam).

3.5.2 Information Security

Organizational information is intellectual capital. Just as organizations protect their assetskeeping their money in an insured bank or providing a safe working environment for employeesthey must also protect their intellectual capital. An organizations intellectual capital includes everything from its patents to its transactional and analytical information. With security breaches on the rise and computer hackers everywhere, an organization must put in place strong security measures to survive. All businesses must understand the importance of information security. Information security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization. Security is perhaps the most fundamental and critical of all the technologies/disciplines an organization must have squarely in place to execute its business strategy. Without solid security processes and procedures, none of the other technologies can develop business advantages. Enterprises can implement information security lines of defense through people first and through technology second. Adding to the complexity of information security is the fact that organizations must enable employees, customers, and partners to access information electronically to be successful in this electronic world. Doing business electronically automatically creates tremendous information security risks for organizations. Surprisingly, the biggest issue surrounding information security is not a technical issue, but a people issue. Most information security breaches result from people misusing an organizations information either advertently or inadvertently. For example, many individuals freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open to intruders. Hackers frequently use such social engineering to obtain password. Social engineering is using ones social skills to trick people into revealing access credentials or other information valuable to the attacker. Information security policies identify the rules required to maintain information security. An information security plan details how an organization will implement the information security policies. Once an organization has protected its intellectual capital by arming its people with a detailed information security plan, it can begin to focus on its efforts on deploying the right types of information security technologies. Organizations can deploy numerous technologies to prevent information security breaches. When determining which types of technologies to invest in, it helps to understand the three primary information security areas:

70

1.

2.

3.

Authentication and authorization: Authentication is a method for confirming users identities. Once a system determines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of giving someone permission to do or have something. Authentication and authorization techniques include (1) something the user knows such as a user ID and password, (2) something the user has such as a smart card or token, and (3) something that is part of the user such as a fingerprint or voice signature. Identity theft is the forging of someones identity for the purpose of fraud. The fraud is often financial fraud, to apply for and use credit cards in the victims name or to apply for a loan. Phishing is a common way to steal identities online. Phishing is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail. Prevention and resistance: Prevention and resistance technologies stop intruders from accessing intellectual capital. One of the most common defenses for preventing a security breach is a firewall. A firewall is hardware and/or software that guard a private network by analyzing the information leaving and entering the network. Firewalls examine each message that wants entrance to the network. Unless the message has the correct markings, the firewall prevents it from entering the network. Content filtering occurs when organizations use software that filters content to prevent the transmission of unauthorized information. Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting, whether the transmission was malicious or accidental. Encryption scrambles information into an alternative form that requires a key or password to decrypt the information. If there is an information security breach and the information was encrypted, the person stealing the information will be unable to read it. Detection and response: If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. The most common type of defense is antivirus software.

Implementing information security lines of defense through people first and through technology second is the best way for an organization to protect its vital intellectual capital. The first line of defense is securing intellectual capital by creating an information security plan detailing the various information security policies. The second line of defense is investing in technology to help secure information through authentication and authorization, prevention and resistance, and detection and response.

3.5.3 Establishing a Framework for Systems Security and Control

Can you imagine what happen if you tried to link to the Internet without a firewall or antivirus software? Your computer would be disabled in a few seconds, and it might take you many days to recover. If you operate a business today, you need to make security and control a top priority. Security refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, and organizational procedures that ensure the safety of the organizations assets, the accuracy and reliability of its records, and operational adherence to management standards. Figure 3-29 illustrates the most common threats against contemporary information systems. They can stem from technical, organizational, and environmental factors compounded by poor management decisions. Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. When the Internet becomes part of the corporate network, the organizations information systems are even more vulnerable to actions from outsiders. Software errors pose a constant threat to information system. Growing complexity and size of software programs, coupled
User (Client) Communications Lines Corporate Servers Corporate Systems

Database Hardware Operating Systems Application Software Database Theft of data Copying data Alteration of data Hardware failure Software failure

Unauthorized access Errors Viruses and worms Spyware

Tapping Sniffing Message alteration Theft and fraud Radiation

Hacking Viruses and worms Theft and fraud Vandalism Denial of service attacks

Figure 3-29 Contemporary security challenges and vulnerabilities

71

with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden hugs or program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs. Zero defects cannot be achieved in larger programs. Complete testing simply is not possible. Fully testing programs that contain thousands of choices and millions of paths would require thousands of years. Flaws in commercial software not only impede performance but also create security vulnerabilities that open networks to intruders. Each year, security firms identify about 5,000 software vulnerabilities in Internet and PC software. To correct software flaws once they are identified, the software vendor creates small pieces of software called patches to repair the flaws without disturbing the proper operation. It is up to users of the software to track these vulnerabilities, test, and apply all patches. This process is called patch management. Even with the best security tools, your information system wont be reliable and secure unless you know how and where to deploy them. You will need to know where your company is at risk and what controls you must have in place to protect your information systems. Before your company commits resources to security and information systems controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and determine the most cost-effective set of controls for protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Business managers working with information system specialists can determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage. Once the risks have been assessed, system builders will concentrate on the control points with the greatest vulnerability and potential for loss. Once you have identified the main risks to your systems, your company will need to develop a security policy for protecting the companys assets. A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying mechanisms for achieving these goals. The security policy drives policies determining acceptable use of the firms information resources and which members of the company have access to its information assets. Information systems controls consist of both general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organizations information technology infrastructure. One the whole, general controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. General controls include the following controls: Software controls: Monitor the use of system software and prevent unauthorized access of software programs, system software, and computer programs. Hardware controls: Ensure that computer hardware is physical secure, and check for equipment malfunction. Organizations that are critically dependent on their computers also must make provisions for backup or continued operation to maintain constant service. Computer operations controls: Oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. Data security controls: Ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Implementation controls: Audit the systems development process at various points to ensure that the process is properly controlled and managed. Administrative controls: Formalized standards, rules, procedures, and control disciplines to ensure that the organizations general and application controls are properly executed and enforced.

Application controls are specific controls unique to each computerized application, such as payroll or order processing. They ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, which check data for accuracy and completeness when they enter the system; (2) processing controls, which establish that data are complete and accurate during updating, and (3) output controls, which ensure that the results of computer processing are accurate, complete, and properly distributed. A business needs to plan for events, such as power outages, floods, earthquakes, or terrorist attacks that will prevent your information systems and your business form operating. Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services. Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company.

72