BCS/PGD/MIS/SISP

Strategic Information System Planing 

The Ad Doc Approach

This approach towards development of information systems is the worst possible approach as people in the development process are in the process of perpetual fire fighting. There in no plan available and the development work is carried out as per wises of the developer based on his understanding of what the needs of the user should be. The outcome of this kind of approach is a set of systems that are not synchronized or synergized into one system but a host of systems that work in isolation.

The Data Collection Approach

In this approach, all possible data about the need for the system and about the system is collected. This approach assumes that information systems are best developed based on data from all quarters. This results in lack of focus and understanding as the systems development process gets mired unnecessarily into other issues, like projecting the future information requirement in granular detail by the user.

The Organization Chart Approach

In this approach the information system is developed with the organization structure in mind. It assumes that information strictly flows on the basis of organizational structures. Junctions of information exchange are made on an ad hoc basis which complicates the flow of information and brings in redundancy in the system.

Now that we know how not to approach IS development in an organization, let us discuss the appropriate approaches for IS development.

The Top-down Approach

The top-down approach is used to develop IS with the objectives in focus. The objectives of the IS become the most important priority. The objectives are clearly defined in the first step, followed by identification of the activities of the organization. This in turn is followed by the third step in which the decision-making needs of managers within the organization are analyzed and the necessary information flow for facilitating information delivery to managers for decision-making is understood in detail. Once all the details are available, the application is developed. In this type of system the objectives become the mainstay of the system. However, for this kind of system, the requirements from the systems have to be clearly understood upfront to avoid any problems in the development process. This is because the strategy of development is such that the design is not adequately dynamic.

The Bottom-up Approach

In the bottom-up approach, we find out the type of information that is produced in the operational subsystem and then work backward to integrate this with the entire IS structure to have an organization wide impact. In this design, there is more flexibility to change the information system deliverables even during the development process as the individual subsystems are not designed according to the demands of the upper layers as in the case of top-down approach. On the contrary, here the upper layers are integrated with the lower layer subsystems to create the IS. Thus, bottom-up systems can expand in response to real-world changes and needs of the organization.

BCS/DIP/PGD/MIS,CSM,ITSM/PHYSICAL SECURITY

Physical Security

#1: Lock up the server room

Even before you lock down the servers, in fact, before you even turn them on for the first time, you should ensure that there are good locks on the server room door. Of course, the best lock in the world does no good if it isn't used, so you also need policies requiring that those doors be locked any time the room is unoccupied, and the policies should set out who has the key or keycode to get in.

The server room is the heart of your physical network, and someone with physical access to the servers, switches, routers, cables and other devices in that room can do enormous damage.

#2: Set up surveillance

Locking the door to the server room is a good first step, but someone could break in, or someone who has authorized access could misuse that authority. You need a way to know who goes in and out and when. A log book for signing in and out is the most elemental way to accomplish this, but it has a lot of drawbacks. A person with malicious intent is likely to just bypass it.

A better solution than the log book is an authentication system incorporated into the locking devices, so that a smart card, token, or biometric scan is required to unlock the doors, and a record is made of the identity of each person who enters.

A video surveillance camera, placed in a location that makes it difficult to tamper with or disable (or even to find) but gives a good view of persons entering and leaving should supplement the log book or electronic access system. Surveillance cams can monitor continuously, or they can use motion detection technology to record only when someone is moving about. They can even be set up to send e-mail or cell phone notification if motion is detected when it shouldn't be (such as after hours).

#3: Make sure the most vulnerable devices are in that locked room

Remember, it's not just the servers you have to worry about. A hacker can plug a laptop into a hub and use sniffer software to capture data traveling across the network. Make sure that as many of your network devices as possible are in that locked room, or if they need to be in a different area, in a locked closet elsewhere in the building.

#4: Don't forget the workstations

Hackers can use any unsecured computer that's connected to the network to access or delete information that's important to your business. Workstations at unoccupied desks or in empty offices (such as those used by employees who are on vacation or have left the company and not yet been replaced) or at locations easily accessible to outsiders, such as the front receptionist's desk, are particularly vulnerable.

Disconnect and/or remove computers that aren't being used and/or lock the doors of empty offices, including those that are temporarily empty while an employee is at lunch or out sick. Equip computers that must remain in open areas, sometimes out of view of employees, with smart card or biometric readers so that it's more difficult for unauthorized persons to log on.

#5: Protect the portables

Laptops and handheld computers pose special physical security risks. A thief can easily steal the entire computer, including any data stored on its disk as well as network logon passwords that may be saved. If employees use laptops at their desks, they should take them with them when they leave or secure them to a permanent fixture with a cable lock, such as the one at PC Guardian.

Handhelds can be locked in a drawer or safe or just slipped into a pocket and carried on your person when you leave the area. Motion sensing alarms such as the one at SecurityKit.com are also available to alert you if your portable is moved.

For portables that contain sensitive information, full disk encryption, biometric readers, and software that "phones home" if the stolen laptop connects to the Internet can supplement physical precautions.

#6: Pack up the backups

Backing up important data is an essential element in disaster recovery, but don't forget that the information on those backup tapes, disks, or discs can be stolen and used by someone outside the company. Many IT administrators keep the backups next to the server in the server room. They should be locked in a drawer or safe at the very least. Ideally, a set of backups should be kept off site, and you must take care to ensure that they are secured in that offsite location.

Don't overlook the fact that some workers may back up their work on floppy disks, USB keys, or external hard disks. If this practice is allowed or encouraged, be sure to have policies requiring that the backups be locked up at all times.

#7: Disable the drives

If you don't want employees copying company information to removable media, you can disable or remove floppy drives, USB ports, and other means of connecting external drives. Simply disconnecting the cables may not deter technically savvy workers. Some organizations go so far as to fill ports with glue or other substances to permanently prevent their use, although there are software mechanisms that disallow it. Disk locks, such as the one at SecurityKit.com, can be inserted into floppy drives on those computers that still have them to lock out other diskettes.

#8: Protect your printers

You might not think about printers posing a security risk, but many of today's printers store document contents in their own on-board memories. If a hacker steals the printer and accesses that memory, he or she may be able to make copies of recently printed documents. Printers, like servers and workstations that store important information, should be located in secure locations and bolted down so nobody can walk off with them.

Also think about the physical security of documents that workers print out, especially extra copies or copies that don't print perfectly and may be just abandoned at the printer or thrown intact into the trash can where they can be retrieved. It's best to implement a policy of immediately shredding any unwanted printed documents, even those that don't contain confidential information. This establishes a habit and frees the end user of the responsibility for determining whether a document should be shredded.