1 / 24

Chapter 6: IT Planning and Controlling

Chapter 6: IT Planning and Controlling. MBAD 7090. Objectives. Governance Processes Project Planning and Control in SDLC E-Commerce Security Management. Governance Processes. Goal: effective financial control over IT investment and operating budget

seda
Télécharger la présentation

Chapter 6: IT Planning and Controlling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 6: IT Planning and Controlling MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)

  2. Objectives • Governance Processes • Project Planning and Control in SDLC • E-Commerce Security Management IS Security, Audit, and Control (Dr. Zhao)

  3. Governance Processes • Goal: effective financial control over IT investment and operating budget • Needed to ensure the effective use of resources and alignment with business objectives. • Demand Management • Project Initiation • Technical Review • Procurement and Vendor Management • Strategic Sourcing and Vendor Management • Resource Management and Service Management • Chargeback IS Security, Audit, and Control (Dr. Zhao)

  4. Demand Management and Project Initiation • Demand management: how to devote limited resource? • Projects that have a strong business case • Projects that have a senior management approval and sponsor • Project initiation: how to start an approved project? • Determines the total cost and benefit for a project by defining high-level business requirements and a conceptual solution • Business users develop requirements and a business case • Software developers develop a solution and cost estimate • Form the basis for the project budget IS Security, Audit, and Control (Dr. Zhao)

  5. Technical Review • Ensures compliance with technology standards so that: • It is the right solution • It integrates with other IT components • It can be supported with minimal investment in infrastructure • IT Steering committees • Representatives from major areas in the organization • Evaluate: • Technical feasibility • Alternative technologies • Architecture • In-house skill compatibility • Existing environments/replacements • Implementation, licensing, and cost consideration • Research and analysts views • Vendor company profile and financial feasibility IS Security, Audit, and Control (Dr. Zhao)

  6. Procurement and Vendor Management • Right terms and conditions are negotiated • Depending on extent of the service, a formal Request for Proposal (RFP) is prepared to request competitive bids • Should include service levels with contract penalties and tracking metrics/success criteria • 45% to 60% of an average IT budget is spent with third-party vendors • Key criteria to insource or outsource include strategy, competency, and risk IS Security, Audit, and Control (Dr. Zhao)

  7. Example of Process Technology Approval Technical Steering Committee (TSC)Evaluate architecture Determine impact Approve/disapprove Customer works with Account Manager to document requirements and identify potential solutions. Account Manager works with TSC members to evaluate solution. Technology Request Review requirements with customer Identify potential solutions Evaluate potential solutions Recommend vendor solution Request for Proposal Finalize requirements and scope Request vendor proposals Evaluate vendor proposals Account Manager works with IT Procurement Team to evaluate vendor proposals. Negotiation IT Procurement Team Define scope of work Define contract terms Negotiate services and costs Technology/Contract Refresh IT Procurement Team Track contracts and assets Negotiate technology refresh Negotiate contract renewal/upgrades Account Manager works with IT Procurement Team to negotiate vendor terms. IT Procurement Team notifies customer of contract end date. Vendor Management IT Procurement Team Monitor vendor performance Administer contracts Budget for costs Vendor Management Process IS Security, Audit, and Control (Dr. Zhao)

  8. Resource Management and Service Management • Effectively manage people by creating an environment for training and development of skills • Match the right people with the right skills for the right projects • Service level agreements states expectations between both parties • Includes measurable criteria for monitoring on a regular basis • “You cannot manage what you don’t measure.” (Gartner) IS Security, Audit, and Control (Dr. Zhao)

  9. Budgeting • Carefully control and manage IT spending • Business volume growth projections • New technology investments • Staffing plans • Infrastructure capacity plans • Labor, software, hardware, etc. IS Security, Audit, and Control (Dr. Zhao)

  10. Chargeback • Charging for services for what users consume • Advantages: • Holds users accountable • Provides visibility into IT costs • Disadvantages: • Misperception that IT costs are high because infrastructure costs are factored into the chargeback amount • Example: delivering a desktop to a user • It might be more expensive than individual buying a PC. • Why? IS Security, Audit, and Control (Dr. Zhao)

  11. Project Planning and Control in the SDLC • Six generic phases: • Project Planning • Analysis • Design • Construction • Test • Rollout IS Security, Audit, and Control (Dr. Zhao)

  12. Project Planning Project Definition and Planning Review Present Status Survey Info Needs Assess Packaged Systems Options Perform Project Impact Analysis Initiate Project and Organize Mgmt. Review and Approval Develop Concept Design Identify Business Objectives / Information Strategy Identify hardware software info structure / Envir. Evaluate Development Alternatives Finalize Project Work Plan Project Planning Phase • High level view of intended project IS Security, Audit, and Control (Dr. Zhao)

  13. Project Planning Phase • Project Initiation – management approval for development effort • Scope • Feasibility • Project plan • Review of Present Status – review strengths and weaknesses of existing application • Can be done with feasibility study IS Security, Audit, and Control (Dr. Zhao)

  14. Project Planning Phase • Identify Business Objectives and Information Strategy – key to understanding what you are trying to build • Conceptual Design – high level design of development environment • Hardware, software, business functions to be maintained, system architecture, and interfaces IS Security, Audit, and Control (Dr. Zhao)

  15. Project Planning Phase • Evaluate Development Alternatives – review the development options with their cost/benefit analysis to select a development direction (to insource, outsource, or combination of the two) • Project Work Plan – task and resources needed to develop system • Agreement between the acquirer and developers • An example IS Security, Audit, and Control (Dr. Zhao)

  16. A Project Work Plan Example IS Security, Audit, and Control (Dr. Zhao)

  17. E-commerce Security • Cyber-crime is increasing every year (CSI 2007) • The average annual loss reported more than doubled, from $168,000 in last year's report to $350,424 in this year's survey. Reported losses have not been this high in the last five years. • Financial fraud overtook virus attacks as the source of the greatest financial loss. Virus losses, which had been the leading cause of loss for seven straight years, fell to second place. • Of respondents who experienced security incidents, almost one-fifth said they'd suffered a "targeted attack," i.e. a malware attack aimed exclusively at a specific organization or targeted group. IS Security, Audit, and Control (Dr. Zhao)

  18. Information Security Management Systems (ISMS) • Infrastructure and procedures to guarantee the confidentiality, integrity and availability of the data • Includes: • Policy and procedures • Scope of ISMS • Risk assessment • Risk areas • Controls • Documentation IS Security, Audit, and Control (Dr. Zhao)

  19. Strategic Aspect • Plan corporate objectives • Define E-commerce objectives clearly • Define budgets • To meet security objectives • Define information security policy • Includes e-commerce objectives, actions, and methods IS Security, Audit, and Control (Dr. Zhao)

  20. Organizational Aspect • Set up security team • Define responsibilities for security • Create training programs • Document security procedures • Apply security procedures • Comply with security procedures IS Security, Audit, and Control (Dr. Zhao)

  21. Technical Aspects • IT infrastructure security: • Firewall and virus protection • Backup and recovery • Access control and authentication • Encryption • Intrusion detection • Vulnerability management • Monitor threats IS Security, Audit, and Control (Dr. Zhao)

  22. Financial and Legal Aspects • Financial aspects • Financial evaluation of company resources needing protection • Includes the cost of securing the resources • Legal aspects • Consider the legal requirements for each country that your organization operates in • Security policies are necessary to comply with national and international laws and standards IS Security, Audit, and Control (Dr. Zhao)

  23. Audit Involvement • Formal procedures exist for systems development • Well defined phases and checkpoints for audit review and evaluation • Provide an independent report on adherence to objectives and procedures • Planning and Analysis Phase • Ensure that a business need exists and that it is formulated into an objective with a plan to meet the objective IS Security, Audit, and Control (Dr. Zhao)

  24. Audit Involvement • Conception of the Plan • A plan exists to clarify system objectives and user needs • Determine the reasonableness of the project • Senior management commitment to the project • Audit involvement and requirements are communicated • Project Organization • Project structure is adequate • Staff responsibilities are clearly stated • Methods of communication are clear • Considerable effort is spent on the analysis of the business problem • User needs are met IS Security, Audit, and Control (Dr. Zhao)

More Related