From Wikipedia, the free encyclopedia
Jump to: navigation, search Not to be confused with information systems (discipline).
CS, SE, IS, IT, & Customer Venn Diagram where functionality spans left and design spans right stemming from discovery. An information system (IS) is any combination of information technology and people's activities using that technology to support operations, management, and decision -making. In a very broad sense, the term information system is frequently used to refer to the interaction between people, algorithmic processes, data and technology. In this sense, the term is used to refer not only to the information and communication technology (ICT) an organization uses, but also to the way in which people interact with this technology in support of business processes. Some make a clear distinction between information systems, ICT, and business processes. Information systems are distinct from information technology in that an information system is typically seen as having an ICT component. Information systems are also different from business processes. Information systems help to control the performance of business processes . Alter argues for an information system as a special type of work system. A work system is a system in which humans and/or machines perform work using resources (ncluding ICT) to i produce specific products and/or services for customers. An information system is a work system whose activities are devoted to processing (capturing, transmitting, storing, retrieving, manipulating and displaying) information . Part of the difficulty in defining the term information system is due to vagueness in the definition of related terms such as system and information. Beynon-Davies argues for a clearer terminology based in systemics and semiotics. He defines an information system as an example of a system concerned with the manipulation of signs. An information system is a type of socio-technical system. An information system is a mediating construct between actions and technology . As such, information systems inter-relate with data systems on the one hand and activity systems on the other. An information system is a form of communication system in which
data represent and are processed as a form of social memory. An information system can also be considered a semi formal language which supports human decision making and action. Information systems are the primary focus of study for the information systems discipline and fororganisational informatics
You are here:
Freetutes.com > Systems Analysis and Design
Types of Information Systems
Information systems differ in their business needs. Also depending upon different levels in organization information systems differ. Three major information systems are
1. Transaction processing systems 2. Management information systems 3. Decision support systems Figure 1.2 shows relation of information system to the levels of organi ation. The information needs are different at different organi ational levels. Accordingly the information can be categori ed as: strategic information, managerial information and operational information. Strategic information is the information needed by top most management for decision making. For example the trends in revenues earned by the organi ation are required by the top management for setting the policies of the organi ation. This information is not required by the lower levels in the organi ation. The information systems that provide these kinds of information are known as Decision Support Systems.
1 2 - R l ti
The second category of information required by the middle management is known as managerial information. The information required at this level is used for making short term decisions and plans for the organi ation. Information like sales analysis for the past quarter or yearly production details etc. fall under this category. Management information system (MIS) caters to such information needs of the organi ation. Due to its capabilities to fulfill the managerial information needs of the organi ation, Management Information Systems have become a necessity for all big organi ations. And due to its vastness, most of the big organi ations have separate MIS departments to look into the related issues and proper functioning of the system. The third category of information is relating to the daily or short term information needs of the organi ation such as attendance records of the employees. This kind of information is required at the operational level for carrying out the day-to-day operational activities. Due to its capabilities to provide information for processing transaction of the organi ation, the information system is known as Transaction Processing System or Data Processing System. Some examples of information provided by such systems areprocessing of orders, posting of entries in bank, evaluating overdue purchaser orders etc.
Transaction Processing Systems
TPS processes business transaction of the organi ation. Transaction can be any activity of the organi ation. Transactions differ from organi ation to organi ation. For example, take a railway reservation system. Booking, canceling, etc are all transactions. Any query made to it is a transaction. However, there are some transactions, which are common to almost all organi ations. Like employee new employee, maintaining their leave status, maintaining employees accounts, etc. This provides high speed and accurate processing of record keeping of basic operational processes. These include calculation, storage and retrieval.
Transaction processing systems provide speed and accuracy, and can be programmed to follow routines functions of the organi ation.
Management Information Systems
These systems assist lower management in problem solving and making decisions. They use the results of transaction processing and some other information also. It is a set of information processing functions. It should handle queries as quickly as they arrive. An important element of MIS is database. A database is a non-redundant collection of interrelated data items that can be processed through application programs and available to many users.
Decision Support Systems
These systems assist higher management to make long term decisions. These type of systems handle unstructured or semi structured decisions. A decision is considered unstructured if there are no clear procedures for making the decision and if not all the factors to be considered in the decision can be readily identified in advance. These are not of recurring nature. Some recur infrequently or occur only once. A decision support system must very flexible. The user should be able to produce customi ed reports by giving particular data and format specific to particular situations.
Summary of Information Systems
Catagories of Information System Characteristices Substitutes computer-based processing for manual procedures. Deals with well-structured processes. Includes record keeping applications.
Transaction Processing System
Management information system
Provides input to be used in the managerial decision process. Deals with supporting well structured decision situations. Typical information requirements can be anticipated. Provides information to managers who must make judgements about particular situations. Supports decision-makers in situations that are not well structured.
Decision support system
You are in: Home » Business & Finance » General » The Importance of Information System
The Importance of Information System
Dec 30th, 2008 by axos 3 comments
why the information system is important for company and its benefit
It is surprising facts that there are many more companies still do not use the Internet. It is even more surprising that some of them are still using their twenty -year-old computer information system. Company information system is a set of interrelated component that collect, process, store, and disseminate information to support companies¶ managerial team in decision making, coordinating, controlling, and analyzing. Upgrading the computer information system is not an option in this technology -driven era; it is a requirement. Companies that use an up -to-date information system to gather, assimilate, and evaluate internal as well as external information are gaining competitive advantage over other firms. Management is quicker to cater to customer¶s needs and complaints. With the growth of communication networks, there are almost no barriers between the firm¶s management, employees, customers and suppliers. Networked computing systems have made new modes of work possible. A sophisticated computer information system enables companies to monitor employees, to keep managers and employees informed, to coordinate activities among divisions, or even to sell their products to customers via the internet. Moreover, in the era of information technology like this, information has become valuable organizational asset just like human resources and inventories. Furthermore, a good information system can facilitate direct communication between firm and suppliers, manufacturers, dealers, and marketers. Together, they can create a value chain as though they were in one organization. In the meantime, the widespread use of information freeway is inviting unwelcome threats. Today, companies are plagued by hac kers; competitors, thieves, spies, hired agents, or even from disgruntled employees. Therefore, firms have taken measures to safeguard their system such as installing complex computer firewalls to detect hackers or purchasing expensive and advance encrypti on software. More and more people are working from their homes nowadays. Information technology has become so sophisticated it allows people to choose to work from home. Teleconferencing and video conferencing enable employees to beam in whenever needed. In addition to that, information technology can allow a firm to reduce costs.
Taking Ernst &Young for example, the company has successfully reduced its office space by 2 million square feet by allowing their employees to work from home. In conclusion, information system enables companies to react, respond
Information System Security
Section 1. Responsibilities and Duties
8-100. General. a. Information systems (IS) that are used to capture, create, store, process or distribute classified information must be properly managed to protect against unauthori ed disclosure of classified information, loss of data integrity, and to ensure the availability of the data and system. Protection requires a balanced approach including IS security features to include but not limited to, administrative, operational, physical, computer, communications, and personnel controls. Protective measures commensurate with the classification of the information, the threat, and the operational requirements associated with the environment of the IS are required. The requirements outlined in the following sections apply to all information systems processing classified information. Additional requirements for high -risk systems and data are covered in the NISPOM Supplement.
8-101. Responsibilities. a. The CSA shall establish a line of authority for training, oversight, program review, certification, and accreditation of IS used by contractors for the processing of classified information. The CSA will conduct a risk management evaluation based on the contractor's facility, the classification, and sensitivity of the information processed. The evaluation must ensure that a balanced, cost-effective application of security disciplines and technologies is developed and maintained. Contractor management will publish and promulgate an IS Security Policy addressing the classified processing environment. Additionally, an IS Security Manager (ISSM) will be appointed with oversight responsibility for the development, implementation, and evaluation of the facility's IS security program. Contractor management will assure that the ISSM is trained to a level commensurate with the complexity of the facility's IS.
8-102. Designated Accrediting/Approving Authority. The CSA is the Designated Accrediting/Approving Authority (DAA) responsible for accrediting information systems used to process classified information in industry 8-103. IS Security Manager (ISSM). The ISSM: a. b. c. d. e. Ensures the development, documentation, and presentation of IS security education, awareness, and training activities for facility management, IS personnel, users, and others, as appropriate. Establishes, documents, implements, and monitors the IS Security Program and related procedures for the facility and ensures facility compliance with requirements for IS. Identifies and documents unique local threats/vulnerabilities to IS. Coordinates the facility IS Security Program with other facility security programs. Ensures that periodic self-inspections of the facility's IS Program are conducted as part of the overall facility self-inspection program and that corrective action is taken for all identified findings and vulnerabilities. Self-inspections are to ensure that the IS is operating as accredited and that accreditation conditions have not changed. Ensures the development of facility procedures to: (1) Govern marking, handling, controlling, removing, transporting, saniti ing, reusing, and destroying media and equipment containing classified information.
(2) Properly implement vendor supplied authentication (password, account names) features or securityrelevant features. (3) Report IS security incidents to the CSA. Ensure proper protection or corrective measures have been taken when an incident/vulnerability has been discovered. (4) Require that each IS user sign an acknowledgment of responsibility for the security of the IS. (5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate. g. Certifies to the CSA, in writing, that each System Security Plan (SSP) has been implemen ted; that the specified security controls are in place and properly tested; and that the IS is functioning as described in the SSP. Ensures notification of the CSA when an IS no longer processes classified information, or when changes occur that might affect accreditation. Ensures that personnel are trained on the IS's prescribed security restrictions and safeguards before they are initially allowed to access a system. Develops and implements general and remote maintenance procedures based on requirements provided by the CSA.
h. i. j.
8-104. Information System Security Officer(s) (ISSO). ISSOs may be appointed by the ISSM in facilities with multiple accredited IS. The ISSM will determine the responsibilities to be assigned to the ISSO that may include the following: a. b. c. d. e. f. g. Ensure the implementation of security measures, in accordance with facility procedures. Identify and document any unique threats. If so directed by the GCA and/or if an identified unique local threat exists, perform a risk assessment to determine if additional countermeasures beyond those identified in this chapter are required. Develop and implement a certification test as required by the ISSM/CSA. Prepare, maintain, and implement an SSP that accurately reflects the installation and security provisions. Notify the CSA (through the ISSM) when an IS no longer processes classified information, or when changes occur that might affect accreditation. Ensure: (1) That each IS is covered by the facility Configuration Management Program, as applicable. (2) That the sensitivity level of the information is determined prior to use on the IS and that the proper security measures are implemented to protect this information. (3) That unauthori ed personnel are not granted use of, or access to, an IS. (4) That system recovery processes are monitored to ensure that security features and procedures are properly restored. h. i. Document any special security requirement identified by the GCA and the protection measures implemented to fulfill these requirements for the informati on contained in the IS. Implement facility procedures: (1) To govern marking, handling, controlling, removing, transporting, saniti ing, reusing, and destroying media and equipment containing classified information. (2) To ensure that vendor?supplied authentication (password, account names) features or securityrelevant features are properly implemented.
(3) For the reporting of IS security incidents and initiating, with the approval of the ISSM, protective or corrective measures when a security incident or vulnerability is discovered. (4) Requiring that each IS user sign an acknowledgment of responsibility for the security of IS and classified information. (5) For implementing and maintaining security-related software for the detection of malicious code, viruses, and intruders (hackers), as appropriate. j. k. l. Conduct ongoing security reviews and tests of the IS to periodically verify that security features and operating controls are functional and effective. Evaluate proposed changes or additions to the IS, and advises the ISSM of their security relevance. Ensure that all active user Ids are revalidated at least annually.
8-105. Users of IS. Users of IS are either privileged or general users. a. Privileged users have access to IS control, monitoring or administration functions. Examples include: (1) Users having "superuser," "root," or equivalent access to a system (e.g., system administrators, computer operators, ISSOs); users with near or complete control of an IS or who set up and administer user accounts and authenticators. (2) Users having access to change control parameters (routing tables, path priorities, addresses, etc.) on routers, multiplexers, and other key IS equipment. (3) Users who have been given the authority to control and change other users' access to data or program files (e.g., applications software administrators, administrators of specialty file systems, database managers). (4) Users who have been given special access for troubleshooting or monitoring an IS' security functions (e.g., those using analyzers, management tools). b. c. General users are individuals who can input information to or modify information on an IS or who can receive information from an IS without a reliable human review. All users shall: (1) Comply with the IS Security Program requirements. (2) Be aware of and knowledgeable about their responsibilities in regard to IS security. (3) Be accountable for their actions on an IS. (4) Ensure that any authentication mechanisms (including passwords) issued for the control of their access to an IS are not shared and are protected at the highest classification level and most restrictive classification category of information to which they permit access. (5) Acknowledge, in writing, their responsibilities for the protection of the IS and cla ssified information.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science, to name a few, which are carried out by Information Security Consultants This article presents a general overview of information security and its core concepts.
When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls.  Administrative Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by
government bodies are also a type of administrative control because they inform the business. Some industry sectors have policies, procedures, standards and guidelines that must be followed - the Payment Card Industry (PCI) Data Security Standard required by Visa and Master Card is such an example. Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies. Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Administrative controls are of paramount importance.  Logical Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees' job duties change, or they are promoted to a new position, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate.  Physical Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls. An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task by himself. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator - these roles and responsibilities must be separated from one another.  Security classification for information An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification.
The first step in information classification is to identify a member of senior management as the owner of the particular information to be classified. Next, develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification. Some factors that influence which classification information should be assigned include how much value that information has to the organization, how old the information is and whether or not the information has become obsolete. Laws and other regulatory requirements are also important considerations when classifying information. The type of information security classification labels selected and used will depend on the nature of the organisation, with examples being:
y y y
In the business sector, labels such as: Public, Sensitive, Private, Confidential. In the government sector, labels such as: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, Top Secret and their non-English equivalents. In cross-sectoral formations, the Traffic Light Protocol, which consists of: White, Green, Amber and Red.
All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.  Access control Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected - the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. If a person makes the statement "Hell , e i John Doe." they are making a claim of who they are. However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe. Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe (a claim of identity). The bank teller asks to see a photo ID, so he hands the teller his driver's license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.
There are three different types of information that can be used for authentication: something you know, something you have, or something you are. Examples of something you know include such things as a PIN, a password, or your mother's maiden name. Examples of something you have include a driver's license or a magnetic swipe card. Something you are refers to biometrics. Examples of biometrics include palm prints, finger prints, voice prints and retina (eye) scans. Strong authentication requires providing information from two of the three different types of authentication information. For example, something you know plus something you have. This is called two factor authentication. On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication. Usernames and passwords have served their purpose but in our modern world they are no longer adequate. Usernames and passwords are slowly being replaced with more sophisticated authentication mechanisms. After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures. The policies prescribe what information and computing services can be accessed, by whom, and under what conditions. The access control mechanisms are then configured to enforce these policies. Different computing systems are equipped with different kinds of access control mechanisms - some may even offer a choice of different access control mechanisms. The access control mechanism a system offers will be based upon one of three approaches to access control or it may be derived from a combination of the three approaches. The non-discretionary approach consolidates all access control under a centralized administration. The access to information and other resources is usually based on the individuals function (role) in the organization or the tasks the individual must perform. The discretionary approach gives the creator or owner of the information resource the ability to control access to those resources. In the Mandatory access control approach, access is granted or denied basing upon the security classification assigned to the information resource. Examples of common access control mechanisms in use today include Role-based access control available in many advanced Database Management Systems, simple file permissions provided in the UNIX and Windows operating systems, Group Policy Objects provided in Windows network systems, Kerberos, RADIUS, TACACS, and the simple access lists used in many firewalls and routers. To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions. All failed and successful authentication attempts must be logged, and all access to information must leave some type of audit trail.[
B. Why Information Systems Security Several studies have documented actual and potential losses due to IS security abuses (e.g. Burger, 1993; Loch, Carr, & Warkentin, 19992; Panettieri, 1995). An understanding of the effective and responsible use of management of information systems and technologies is important for managers and business professionals etc. Information systems play a vital role in the strategic success of a business. Thus, better computer literacy, increased computer user sophistication, and availability of advanced software tools may also contribute to IS security abuses in the future. Hence, management needs to pay more attention to IS security issues (Dhillon & Backhouse, 2000). C. Goals of Information Systems Security As the businesses are getting more dependent upon the use of information systems the
need for better IS security is also increasing. Thus, the main goal of defining an IS security policy is the .Protection of information systems against unauthorized access to or modification of information whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.(NSTISSI 4009, August, 1997).. The organizations today must protect their information from loss just as it would protect any other valuable asset, such as tangible property, equipment, money, or staff. By the development of a IS security method the organization must ensure that all the information security loopholes are covered. The information assets must be protected