IMT 508 (The Information Technology Profession) Lecture Note.pdf

THE INFORMATION TECHNOLOGY PROFESSION IMT 508 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Why Code of Practice? Information Technology is a regulated profession in Nigeria, just as in many other countries. Any regulated profession including Engineering, Medicine, Pharmacy, Law, Accountancy, Information Technology etc. should have a Code of Practice or Code of Ethics, which governs the conduct of practitioners while safeguarding the interest and well-being of the receiving public. Information Technology has permeated virtually all aspects of daily life, therefore the consequences of lack of regulation in its practice or lack of professional standards can be disastrous and even life-threatening. What is the difference between Code of Practice and Code of Ethics? Code of Practice and Code of Ethics are sometimes used interchangeably to describe the standards of technical capability which members must satisfy, as well as the standards of conduct to which members either conform or be held accountable for any lapse. Code of Practice ▪ Enumerates specifically what the practitioner can or cannot do ▪ Is enforceable ▪ License to practice is contingent upon compliance Code of Ethics ▪ A moral guideline and expectation, centered on honesty, trustworthiness, fairness and respect for privacy, confidentiality and intellectual property. ▪ Gives ethical principles and expects the practitioner to regulate own behaviour accordingly, without specifically enumerating what he/she can or cannot do. ▪ Enforceable if embedded in Code of Practice. The Code of Professional Standards for Information Technology practitioners in Nigeria is enforceable, since continued membership of the profession is contingent upon members strict adherence to it, while non-compliance could lead to prohibition from practice of Information Technology in Nigeria. One of the hallmarks of a profession is the commitment br its members to high standards of professional conduct. Members of the Computer Professionals (Registration Council of Nigeria) should at all times maintain standards of conduct worthy of Information Technology professionals. By so doing, they will enhance their personal stature as Information Technology professionals and help maintain the credibility and prestige of the Information Technology profession. They will also secure the continuing acknowledgement of their professional merits by their community (country) as a whole. Obligation of the Information Technology practitioner Page | 1 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) The Information Technology practitioner has obligations of proper professional conduct towards the following: ▪ The public ▪ Employer or Client ▪ Fellow members ▪ The profession ▪ The country The full and complete code is contained in the Computer Professionals of Nigeria (CPN) publication titled Code of Ethics and Professional Conduct for the Information Technology profession in Nigeria. Obligation to the Public: ▪ Ensure that the products of your effort are used in socially responsible ways and shun/avoid harmful effect on life and property. For example, you will not willfully develop malicious code or other forms of malware, nor promote the acquisition of equipment or components made from banned or toxic materials. ▪ You will give objective, credible, comprehensive and thorough professional evaluations, highlighting possible risks. In your recommendations, you will not take advantage of lack of knowledge and experience of others. Obligations to Employer or Client: ▪ You will carry out your work with due care and diligence in accordance with the requirements of your employer or client, and endeavour to complete agreed work on time and budget. ▪ You will not reveal data and information entrusted to you without prior consent of the client or employer except as authorized or required by law. ▪ You will avoid and promptly disclose any conflict of interest situation which may arise from the work you are handling and other third parties associated with the same work. Obligations to the Country: ▪ You will ensure that you have knowledge and understanding of existing local, state, national and international laws and regulations relating to the practice of the profession, and obey all such laws. ▪ You notify the appropriate organ of government when, in your judgement, a policy, project, or endeavour, especially in your area of expertise, may be detrimental to the country or harmful to its citizenry. Obligations to Fellow members: ▪ You will not injure or attempt to maliciously injure the professional reputation and prospects of other members of the profession. Conversely, you have an obligation to report members suspected of engaging in illegal or unprofessional activities to the relevant authority, for action. Page | 2 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) ▪ You will proper credit for all intellectual property, and for professional work performed by others. Obligations to the Profession: ▪ You will uphold the reputation of the profession in all your conduct and not promote your own interest at the expense of the dignity and integrity of the profession. ▪ You will exercise care not to misinterpret the profession, the council, its policies or its position on any issue of public interest. Common Information Technology Practices Practices common to all Information Technology Disciplines ▪ Acquire and maintain professional competence ▪ Perform services only in areas of your competence, undertaking only assignments for which you or your organization are qualified by education and/or experience. ▪ Once you accept an assignment, you must assume responsibility for the entire deliverables which must be signed off and sealed with your professional seal. ▪ Honour property rights including copyrights, patents, trade secrets and terms of license agreements. ▪ Respect the privacy of others by maintaining the integrity and privacy of data which you may have access to, in the course of your professional work. ▪ Develop and deliver documentation, designs, drawings, operating procedures etc. that not only completely describe the” as built” solution that you have provided, but also facilitate subsequent audit, maintenance, enhancements and operation. Specific Information Technology Practices Project Management: A project is a temporary endeavour, having a defined beginning and end, usually constrained by one or more resources such as time, people or funds, and undertaken to meet unique goals and objectives. Project management is the discipline of planning, organizing and managing resources to bring about the successful completion of a particular project, within a specified time frame. Obligations of a Project Manager ▪ The Information Technology practitioner should ensure that a formal Project Management process or methodology is in place for all projects (may be scaled according to the size of the project) ▪ Ensure that project plans are documented, agreed to by you and client, and progress monitored throughout execution to ensure completion within time and budget. ▪ Ensure that upon completion, a formal handover and acceptance is concluded with the client. Relationship Management: Relationship management is the collection of methodologies, processes and tools used to manage customer contacts and relationships in an organized way. For Page | 3 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) example, an organization may have a database which contains sufficient details about their customers to enable management, the sales team, the service team and even the customer have access to pertinent information to manage and expand the relationship. Such information might include online orders and tracking, history and pattern of previous purchases, new products and offers that may match customer needs, services reminders etc. There are many Customers Relationship Management (CRM) tools available from SAP, Oracle/Siebel, Salesforce etc. Obligations of Relationship Manager ▪ The Information Technology practitioner should determine need for a CRM tool and make objective recommendations. Recommended tool will then be used to manage and nurture interactions with existing and prospective clients, ensuring effective long-term usage of Information Technology to increase profitability and reduce operational costs Security: Computer system security is the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events. The objective of computer system security includes protection of information and infrastructure (property) from theft, corruption or natural disaster while allowing the system and its environment to remain accessible and productive to its intended users. Obligations of Security Specialist ▪ The Information Technology practitioner is expected to identify and evaluate all potential risks in the Information Technology environment, mindful of cost- effectiveness and practicability of the proposed level of security. He/she should propose a mechanism for subsequent, ongoing monitoring of the agreed level of security. ▪ Recommends and, if applicable, implement actions to be taken to protect life and equipment and recover data in the event of disaster in the Information Technology environment or in one or more component. Safety Engineering: Safety management is that function which assists all managers in better performing their responsibilities for operational system design and implementation through either the prediction of management systems deficiencies before errors occur or the identification and correction of such deficiencies of professional analysis of accidental incidents (performance error). Obligations of Safety Engineer ▪ The Information Technology practitioner ensures that systems are designed to capture operational, error and audit logs and provide tools for periodic analysis and reporting for system performance monitoring. Page | 4 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) ▪ Determines optimum operating conditions and tolerances for Computing Facilities, environment and equipment and activates appropriate alarms and notifications in the event of significant deviations. Change Management: Change Management is a structured approach to transitioning a system or organization from a current state to a desired future state. Change management or change control is the process during which the changes to a system are implemented in a control manner by following a pre-defined framework or methodology. Obligations of Change Manager ▪ The Information Technology practitioner employ standardized methods and procedures for efficient and prompt handling of all changes to a controlled Information Technology system hardware, communication system, software and documentation/ procedures. ▪ Ensures that all change requests are properly raised, recorded, assessed in terms of impact, costs benefits and risks business justified, approved, managed, monitored and closed. Quality Management: Information Technology Quality Management helps in ensuring and managing quality throughout the system lifecycle from requirement analysis, to system build/development to test scenarios, actual testing as well as error and defect handling. Obligations of Quality Manager ▪ The Information Technology practitioner should utilize automated (software) functional, integration and regression testing tools (if cost effective). ▪ Includes performance and loan testing in Information Technology Quality Management. Tools exists for run-time analysis, memory leak detection, performance profiling and component unit testing of embedded systems. ▪ Utilizes Web site security and compliance solutions to help identify vulnerabilities and assess compliance requirements to improve the accuracy and reliability of online systems. Education and Research Obligations in Education: The practitioner in Information Technology should: ▪ Take responsible precautions to distinguish between his/her personal views and those of the educational institution which he/she is affiliated with. ▪ Not deliberately distort or suppress or deny access to educational materials or information in order to promote his/her personal views or interests. ▪ Keep in confidence information that has been obtained in the course of providing professional service, unless disclosure serves a compelling professional purpose or is required by law. ▪ Safeguard and maintain the confidentiality of test materials and information. Page | 5 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) ▪ Not use or allow the use of the institution’s resources (including computer, internet etc.) for private or commercial purposes. ▪ Accord just and equitable treatment to all students as they exercise their educational rights and responsibilities. ▪ Make reasonable effort to protect students from conditions harmful to learning or to health and safety. ▪ Not engage in physical or emotional abuse of students or sexual conduct with a student. ▪ Not to exploit their professional relationship with students for private gain. Obligation in Research: The practitioner in Information Technology Research should ensure that: ▪ His/her research does no harm to the community. ▪ The design, implementation, analysis, interpretation, reporting, publication and distribution of the research are culturally relevant to the community and in agreement with the standards of competent research. ▪ The research will contribute something of value to the community in which the research is conducted. ▪ Must be prepared to address any issues that are raised as a result of research. ▪ Must promote academic diffusion of knowledge through written publications and oral presentations. This includes adequate documentation of the research work as well as the results. System Lifecycle: A complete system lifecycle includes: requirement analysis and specification, system development, installation, testing, training, operations and ongoing support/maintenance. Obligations: The Information Technology practitioner should ensure that: ▪ Specifications and requirement definition are thorough and agreed with the client before qualified vendors/service providers are invited. ▪ Vendor proposals are evaluated against previously agreed system specification. ▪ Sufficient time is allocated to meetings, clarifications etc. and be fair to all invited vendors. ▪ One vendor’s proposal is not leaked to or discussed with other vendors. ▪ Avoid undue involvement with the staff of a particular vendor. ▪ Ensure that a consistent and objective scoring mechanism is applied across board to all proposals. It is courteous and professional to notify unsuccessful bidders and inform them of reasons why they failed. ▪ Critical systems are designed and implemented with redundancy in mind. ▪ All systems are tested and accepted by the client in line with agreed comprehensive testing plan and acceptance criteria. ▪ Adequate provision is made for training end user’s, management and support/operation staff. Page | 6 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) ▪ After installation, ongoing operations are efficient, reliable and at a reasonable cost. ▪ Operating procedures and user desk guides are available to ensure that the system continues to produce expected results. ▪ A support structure (e.g., Helpdesk) is put in place to maintain formal and informal contact with the end user for problem resolution, ongoing support and routine maintenance. Software engineering is carried out within a social and legal framework that limits the freedom of people working in that area. As a software engineer, you must accept that your job involves wider responsibilities than simply the application of technical skills. You must also behave in an ethical and morally responsible way if you are to be respected as a professional engineer. It goes without saying that should uphold normal standards of honesty and integrity. You should not use your skills and abilities to behave in a dishonest way or in a way that will bring disrepute to the software engineering profession. However, there are areas where standards of acceptable behaviour are not bound by laws but by moral tenuous notion of professional responsibility. Some of these are: 1. Confidentiality: You should normally respect the confidentiality of your employers or clients irrespective of whether or not a formal confidentiality agreement has been signed. 2. Competence: You should not misrepresent your level of competence. You should not knowingly accept work that is outside your competence. 3. Intellectual property rights: You should be aware of local laws governing the use of intellectual property such as patents and copyright. You should be careful to ensure that the intellectual property of employers and clients are protected. 4. Computer misuse: You should not use your technical skills to misuse other people’s computer. Computer misuse ranges from relatively trivial (game playing on an employer’s machine) to extremely serious (dissemination of viruses or other malware). The rationale behind this code is summarized in the first two paragraphs of the longer for: Computers have a central and growing role in commerce, industry, government, medicine, education, entertainment and society at large. Software engineers are those who contribute by direct participation or by teaching, to the analysis, specification, design, development, certification, maintenance and testing of software systems because of their roles in developing software systems, software engineers have significant opportunities to do good or cause harm, to enable others do good or cause harm, to influence other do good or cause harm. To ensure, as much as possible, that their efforts will be used for good, software engineers must commit themselves to making software engineering a beneficial and respected profession. In accordance with that commitment software engineers shall adhere to the following Code of Ethics and Professional Practice. The Code contains eight (8) principles related to the behaviour of and decisions made by professional software engineers, including practitioners, educators, managers, supervisors and policy makers, as well as trainees and students of the profession. The principle Page | 7 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) identifies the ethically responsible relationships in which individuals, groups and organizations participate and the primary obligations within these relationships, the clauses of each principle are illustrations of some of the obligations included in these relationships, these obligations are founded in the software engineer’s humanity, in special care owed to people affected by the work of software engineers, and the unique elements of the practice of software engineering. The code prescribes these as obligations of anyone claiming to be or aspiring to be a software engineer. In any situation where different people have different views and objectives are likely to be faced with ethical dilemmas. For example, if you disagree, in principle, with the policies of more senior management in the company, how should you react? Clearly this depends on the particular individuals and the nature of the disagreement. Is it best to argue a case for your position from within the organization or to resign in principle? If you feel that there are problems with a software project, when do you reveal this to management? If you discuss this while they are just a suspicion, you may be overreacting to a situation; if you leave it too late, it may be impossible to resolve the difficulties. Such ethical dilemmas face all of us in our professional lives and fortunately in most cases they are either relatively minor or can be resolved without too much difficulty. Where they cannot be resolved, the engineer is faced with perhaps another problem. The principled action may be to resign from their job but this may well affect others such as their partner or children. A particular difficult situation for professional engineers arises when their employer acts in an unethical way. Say a company is responsible for developing a safety-critical system and, because of time pressure falsifies the safety validation records. Is the engineer’s responsibility to maintain confidentiality or to alert the customer or publicize, in some way, that the delivered system may be unsafe? The problem here is that there are no absolutes when it comes to safety. Although the system may not have been validated according to predefined criteria, these criteria may be too strict. The system may actually operate safely throughout its lifetime. It is also the case that, even when properly validated, the system may fail and cause an accident. Early disclosure of problems may result in damage to the employer and other employees; failure to disclose problems may result in damage to others. You must make up your mind in these matters. The appropriate ethical position here depends entirely on the views of the individuals who are involved. In this case, the potential for damage, and the people affected by the damage should influence the decision. If the situation is very dangerous, it may be justified to publicize it using the national press. However, you should always try to resolve the situation while respecting the rights of your employer. Another ethical issue is participation in the development of military and nuclear systems. Some people feel strongly about these issues and do not wish to participate in any systems development associated with military systems. Others will work on military systems but not on weapons systems. Yet others feel that national security is an overriding principle and have no ethical objections to working on weapons systems. In this situation, it is important that both employers and employees should make their views known to each other in advance. Where an organization is involved in Page | 8 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) military or nuclear work, they should be able to specify that employees must be willing to accept any work assignment. Equally, if an employee is taken on and makes clear that they do not wish to work on such systems, employers should not put pressure on them to do so at some later date. The general area of ethics and professional responsibility is becoming more important as software-intensive systems pervade every aspect of work and everyday life. It can be considered from a philosophical standpoint where the basic principles of ethics are considered and software engineering ethics are discussed with reference to these basic principles. This is the approach taken by Laudon (1995) and to a lesser extent by Huff and Martin (1995). Johnson’s text on computer ethics (2001) also approaches the topic from a philosophical perspective. However, I find that this philosophical approach is too abstract and difficult to relate to everyday experience. I prefer the more concrete approach embodied in codes of conduct and practice. I think that ethics are best discussed in a software engineering context and not as a subject in their own right. In this book, therefore, I do not include abstract ethical discussion but, where appropriate, include examples in the exercises that can be the starting point for a group discussion on ethical issues. Page | 9 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) User Policies Definition Misuse of systems is a major problem for many organizations. A large part of the problem comes from the difficulty in defining what exactly misuse is. Some things might be obvious misuse, such as using company time and computers to search for another job or to view forbidden websites. However, other areas are not so clear, such as an employee using her lunchtime to look up information about a car she is thinking of buying. Generally, good user policies outline specifically how people may use systems and how they may not. For a policy to be effective, it needs to be very clear and quite specific. Statements such as “computers and internet access are only for business use” are simply inadequate. Every organization must have specific policies that will be applied fairly across the organization. In the previous example using a general statement of “computers and internet access are only for business use” can be problematic. Assume you have an employee who occasionally takes just a few minutes to check home e-mail with the company computer. You decide that this is unacceptable, and choose not to apply the policy. Later another employee spends two to three hours per day surfing the Net and you fire him for violating company policy. That employee might sue the company for wrong termination. Other areas of potential misuse are also covered by user policies, including password sharing, copying data, leaving accounts logged on while employees go to lunch, and so on. All of these issues ultimately have a significant impact on your network’s security and must be clearly spelled out in your user policies. We will now examine several areas that effective user policies must cover ▪ Password ▪ Internet use ▪ E-mail attachments ▪ Software installations and removal ▪ Instant messaging ▪ Desktop configuration ▪ Bring Your Own Device (BYOD) Passwords Keeping passwords secure is critical. Appropriate passwords are part of operating system hardening. You should recall that a good password has in the past been defined as one that is six (6) to eight (8) characters long, uses numbers and special characters, and has no obvious relevance to the end user. For example, a user will use a password like “cowboys” or “godallas” but it should be advised to use a password like “%trEe987” or “123DoG$$” because those do not reflect the person’s personal interests and therefore will not be easily guessed. Issues such as minimum password length, password history, and password complexity come under administrative policies, nor user policies. Those complexity requirements are still good Page | 10 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) recommendations. However, you should consider longer passwords, such as those twelve (12) characters or longer. User policies dictate how the end user should behave. However, no password is secure, no how long or how complex, if it is listed on a Post-it note stuck to the user’s computer monitor. This may seem obvious, but it is not at all uncommon to go into an office and find a password either on the monitor or in the top drawer of the desk. Every janitor or anyone who simply passes by the office can get that password. It is also common to find employees sharing passwords. For example, Bob is going to be out of town next week, so he gives Alice his password so that Alice can get into his system, check e- mail, and so on. The problem is that now two (2) people have that password. And what happens if, during the week Bob is gone, Alice gets ill and decides she will share the password with Shelly so she can keep checking that system while Alice is out sick? It does not take long for a password to get to so many people that it is no longer useful at all from a security perspective. Issues like minimum length of passwords, password age, password history are issues of administrative policies. System administrators can force these requirements. However, none of that will be particularly helpful if the users do not manage their passwords in a secure fashion. All of these means you need explicit policies regarding how users secure their passwords. Those policies should specify: ▪ Passwords are never to be kept written down in accessible place. The preference is that they not be written down at all, but if they are, they should be in a secure area such as a lock box. ▪ Password must never be shared with any person for any reason. ▪ If an employee believes his/her password has been compromised, he should immediately contact the Information Technology department so that his/her password can be changed and so that logon attempts with the old password can be monitored and traced. A recommendation is to choose a passphrase, something like ILikeCheeseBurgers, and then change the e’s to 3’s and use some capitalization. Perhaps add a symbol so it becomes #ILik3Ch33s3Burg3rs. This is a very secure password. It can be remembered and it has complexity and length. The complexity requirements prevent dictionary attacks (using words from a dictionary) and guessing. However, you might be wondering why a long password is so important. The reason has to do with how passwords are stored. In windows when you select a password, that password is stored in hashed format in a SAM file. Remember that a hash cannot be undone. Therefore, when you log in, Windows will hash whatever you type in and compare it to what’s in the SAM file. If they match, you are in. Page | 11 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Hashing passwords leads to the use of an interesting hacking technique called the rainbow table. A rainbow table contains all the possible hashes of all the key combinations that might have been used in a password, up to a given size. For example, all the single-character combinations are hashed, all the two-character combinations are hashed, and so on up to some finite limit (often eight (8) to ten (10) characters). If you get the SAM file then you can search the rainbow table for any matches. If you find a match, then the associated plaintext must be the password. Tools such as OphCrack boot into Linux and then run a rainbow table against the SAM file. However, large rainbow tables are cumbersome. No current rainbow tables can handle passphrase of twenty (20) characters or more. Internet Use Policy Most organizations provide users with some sort of internet access. There are several reasons for this. The most obvious reason is e-mail. However, that is hardly the only reason to have internet access in a business. There also the web, and even chart rooms. All of these can be used for legitimate purposes within any organization but can also be serious security problems. Appropriate policies must be in place to govern the use of these technologies. The web is a wonderful resource for a tremendous wealth of data. The Internet is also full with useful tutorials on various technologies. However, even nontechnology related business interests can be served via the web. Here are a few examples of legitimate business uses of the web: ▪ Sales staff checking competitor’s websites to see what products or services they offer in what areas, perhaps even getting prices. ▪ Creditors checking a business’s AM Best or Standard and Poor’s rating to see how their business financial rating is doing. ▪ Business travelers checking conditions and getting prices for travel. Of course, other web activities are clearly not appropriate on a company’s network ▪ Using the web to search for a new job. ▪ Any pornographic use. ▪ Any use which violates Local, State or Federal laws. ▪ Use of the web to conduct employee’s own business (i.e., an employee who is involved in another enterprise other than the company’s business, such as eBay). In addition, there are grey areas. Some activities might be acceptable to some organizations but not to others. Such activities might include: ▪ Online shopping during the employee’s lunch or break time. ▪ Reading news articles online during lunch or break time. ▪ Viewing humorous websites. What one person might view as absurdly obvious might not be to another. It is critical that any organization have very clear policies detailing specifically what is and what is not acceptable use Page | 12 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) of the web at work. Giving clear examples of what is acceptable use and what is not is important. You should also remember that most proxy servers and many firewalls could block certain websites. This will help prevent employees from misusing the company’s web connection. Email Attachments Most business and even academic activity now occur via e-mail. E-mail also happens to be the primary vehicle for virus distribution. This means that e-mail security is a significant issue for any network administrator. Clearly you cannot simply ban all e-mail attachments. However, you can establish some guidelines for how to handle e-mail attachments. Users should open an attachment only if it meets the following criteria: ▪ It was expected (i.e., the user requested documents from some colleague or client) ▪ If it was not expected, it comes from a known source. If so, first contact that person and ask whether they sent the attachment. If so, open it. ▪ It appears to be a legitimate business document (that is, a spread sheet, a document, a presentation, etc.) It should be noted that some people might find such criteria unrealistic. There is no question they are inconvenient. However, with the prevalence of viruses , often attached to e-mail, these measures are sensible. Many people choose not to go to this level to try to avoid viruses, and that may be your choice as well. Just bear in mind that millions of computers are infected with some sort of virus every single year. No one should ever open an attachment that meets any of the following criteria: ▪ It comes from an unknown source. ▪ It is some active code or executable. ▪ It is an animation/movie ▪ The e-mail itself does not appear legitimate (it seems to tempt you to open the attachment rather than simply being a legitimate business communication that happens to have an attachment). If the end user has any doubt whatsoever, then should not open the e-mail. Rather, should contact someone in the Information Technology department who has been designated to handle security. That person can then either compare the e-mail subject line to known viruses or can simply come check out the e-mail personally. Then if it appears legitimate, the user can open the attachment. Software Installation and Removal This is one matter that does have an absolute answer. End users should not be allowed to install anything on their machine, including wall papers, screen savers, utilities etc. The best approach is to limit their administrative privileges so they cannot install anything. However, this should be Page | 13 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) coupled with a strong policy statement prohibiting the installation of anything on users’ PCs. If they wish to install something, it should first be scanned by the Information Technology department and approved. This process might be cumbersome, but it is necessary. Some organizations go so far as to remove media drives (optical drive, USB, etc.) from end users’ PCs so installations can occur only from files that the Information Technology department has put on a network drive. This is usually a more extreme measure than most organizations will require but it is an option you should be aware of. Instant Messaging Instant messaging is also widely used and abused by employees in companies and organizations. In some cases, instant messaging can be used for legitimate business purposes. However, it does pose a significant security risk. There have been viruses that propagated specifically via instant messaging. In one incident the virus would copy everyone on the user’s buddy list with the contents of all conversations. Thus, a conversation the user thought was private was being broadcast to everyone with whom that user had messaged. Instant messaging is also a threat from a purely informational security perspective. Without the traceability of an e-mail going through the corporate e-mail server, nothing stops and end user from instant messaging out trade secrets or other confidential information undetected. It is recommended that instant messaging simply be banned from all computers within an organization. If you find your organization absolutely must use it, then you must establish very strict guidelines for its use, including: ▪ Instant messaging may be used only for business communications, no personal conversations. Now this might be a bit difficult to enforce. More common rules, such as prohibiting personal web browsing, are also quite difficult to enforce. However, it is still a good idea to have those rules in place. Then if you find an employee violating them, can refer to a company policy that prohibits such actions. However, you should be aware that in all likelihood you would not catch most violations of this rule. ▪ No confidential or private business information should be sent via instant messaging. Desktop Configuration Many users like to configure their desktop. This means changing the background, screen saver, font size, resolution, and so on. Theoretically speaking, this should not be a security hazard. Simply changing computer’s background image cannot compromise the computer’s security. However, there are other issues involved. The first issue is where the background image comes from. Frequently end users download images from the Internet, creating an opportunity for getting a virus or Trojan horse, particularly one using a hidden extension (e.g., it appears to be mypic.jpg but is really mypic.jpg.exe). There Page | 14 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) are also human resources/harassment issues if an employee uses a backdrop or screen saver that is offensive to other employees. Some organizations simply decide to prohibit any changes to the system configuration for this reason. The second problem is technical. In order to give a user access to change screen savers, background images, and resolution, you must give rights that allow to change other system settings you might not want changed. The graphical display options are not separated from all other configuration options. This means that allowing the user to change screen saver might open the door to alter other settings that would compromise security (such as network card configuration or the Windows Internet connection firewall). Bring Your Own Device (BYOD) Bring Your Own Device (BYOD) has become a significant issue for most organizations. Most, if not all, of your employees will have their own smart phones, tablets, smart watches, etc. that they will most likely carry with them into the workplace. When they connect to your wireless network, this introduces a host of new security concerns. You have no idea what networks those devices previously connected to, what software was installed on them, what data might be exfiltrated by these personal devices. In highly secure environment, the answer may be to forbid personally owned devices. However, in many organizations, such a policy is impractical. A workaround for that is to have a Wi-Fi network that is dedicated to BYOD and is not connected to the company’s main network. Another approach, although more technologically complex, is to detect the device on connection, and if it is not a company -issued device, significantly limit its access. There also alternative to BYOD. For example, Choose Your Own Devices (CYOD) is a policy wherein the company allows the employee to bring their own device, but only if that device is from a list of pre-approved devices. This gives the company some control over what the user is connecting to the company network. Company Owned and Provided Equipment (COPE) is another option. In this scenario, the company provides the device, and has complete control over it. However, this can become an issue when the employee uses a device for both personal and professional purposes, not to mention the expense of providing employees with devices and maintaining those devices. Whatever approach you take, you must have some policy regarding personal devices. They are already ubiquitous and spreading even more. Just a few years, smart phones were really the BYOD device. But today there are smart watches, smart luggage, etc., and it is difficult to predict what new devices might be coming in the future. System Administration Policies In addition to determining policies for users, you must have some defined policies for system administrators. There must be a procedure for adding users, removing users, dealing with Page | 15 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) security issues, changing any system, and so on. There must also be procedures for handling any deviation. New Employees When a new employee is hired, the system administration policy must define specific steps to safeguard company security. New employees must be given access to the resources and applications their job functions require. The granting of that access must be documented (possibly in a log). It is also critical that each new employee receive a copy of the company’s computer security/acceptable use policies and sign a document acknowledging receipt of such. Before the new employee starts to work, the Information Technology department (specifically network administration) should receive a written request from the business unit for which that person will be working. That request should specify exactly what resources this user will need and when will start. It should also have the signature od someone in the business unit with authority to approve such a request. Then, the person who is managing network administration or network security should approve and sign the request. After you have implemented the new user on the system with the appropriate rights, you can file a copy of the request. Leaving Employees When an employee leaves, it is critical to make sure all logins are terminated and all access to all systems is discontinued immediately. Unfortunately, this is an area of security that many organizations do not give enough attention to. It is imperative to have all of the former employee’s access shut down on his last day of work. This includes physical access to the building. If a former employee has keys and is displeased, nothing can stop him from returning to steal or vandalized computer equipment. When an employee leaves the company, you should ensure that on his last day the following actions take place: ▪ All logon accounts to any server, VPN, network, or other resources are disabled. ▪ All keys to the facility are returned. ▪ All accounts for e-mail, Internet, cell phones, etc., are shut off. ▪ Any accounts for mainframe resources are cancelled. ▪ The employee’s workstation hard drive is searched. The last item might seem odd. However, if an employee was gathering data to take with him (proprietary company data) or conducting any other improper activities, you need to find out right away. If you do see any evidence of any such activity, you need to secure that workstation and keep it for evidence in any civil or criminal proceedings. All of this might seem extreme for some people. It is true that with the vast majority of existing employees, you will have no issues of concern. However, if you do not make it a habit of Page | 16 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) securing an employee’s access when he/she departs, you will eventually have an unfortunate situation that could have been easily avoided. Change Requests The nature of Information Technology is change. Not only end users come and go, but requirements change frequently. Business units request access to different resources, server administrators upgrade software and hardware, application developers install new software, web developers change the website, and so on. Change is occurring all the time. Therefore, it is important to have a change control process. This process not only makes the change run smoothly but also allows the Information Technology security personnel to examine the change for any potential security problems before it is implemented. A change control request should go through the following steps: ▪ An appropriate manager within the business unit signs the request, signifying approval. ▪ The appropriate Information Technology unit (database administration, e-mail administrator, and so on) verifies that the request is one they can fulfil (from both a technological and budgetary/business perspective). ▪ The Information Technology security unit verifies that this change will not cause any security problems. ▪ The appropriate Information Technology unit formulates a plan to implement the change and a plan to roll back the change in the event of some failure. ▪ The date and time for the is scheduled, and all relevant parties are notified. Your change control process might not be identical to this one; in fact, yours might be much more specific. However, the key to remember is that in order for your network to be secure, you simply cannot have changes happening without some process for examining their impact prior to implementing them. Access Control An important area of security policies that usually generates some controversy in any organization is access control. There is always a conflict between users’ desire for unrestricted access to any data or resources on the network and the security administrator’s desire to protect that data and resources. You cannot simply lock down every resource as completely as possible because that would block the users’ access to those resources. Conversely, you cannot simply allow anyone and everyone complete access to everything. It is worth keeping this acronym in mind when thinking about access control. Your goal is to make sure the data is accurate, confidential, and available only to authorized parties. This is where the least privileges concept comes into play. The idea is simple. Each user, including Information Technology personnel, get the least access they can have to effectively do the job. Rather than asking the question “Why not give this person access to X?” you should ask Page | 17 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) “Why give this person access to X?” if you do not have a good reason, then do not provide the access. This is one of the fundamentals of computer security. The more people who have access to any resource, the more likely some breach od security is to occur. Clearly trade-offs between access and security must be made. One common example involves sales contact information. Clearly, a company’s marketing department needs access to this data. However, what happens if competitors get all of your company’s contact information? That information could allow them to begin targeting your current client list. This requires a trade-off between security and access. In this case, you would probably give sales people access only to the contacts that are within their territory. No one other than the sales manager should have complete access to all contacts. Physical Security Physical Security is actually a multifaceted topic. The most obvious issue is to physically secure machines, but beyond that must consider issues such as controlling access to your building and knowing how to respond to fires. Monitoring systems such as alarms and cameras are also a part of physical security. Equipment Security Physical Security begins with controlling access to the building and to key rooms within the building. At the most basic level, it includes having a locked door on the server room. In addition to that, you must also have some way of controlling who has access to that room. A highly recommended approach is a swipe card or password key entry system that records who enters the room and when. You should also consider the room itself. It should not have a window, or it does, it should be reinforced window and someone outside should not be able to easily view inside the room. The room should also be fireproof, because a fire in the server room would be a significant disaster. The server room is obviously a key item to secure, but it is not the only item. If routers or switches are distributed in the building, they must be in locations that are not easily accessible by unauthorized personnel. Locked closets make a good location for these items. Locking down workstations so they are secured to the desk is also a common practice. This makes theft of those computers significantly more difficult. Essentially any device that is itself valuable or contains data that is valuable must be physically secured. Equipping mobile business phones with the ability to remotely wipe them is also becoming common practice. That way if they become stolen or lost, the administrator can remotely wipe all data on the phone. Securing Building Access Page | 18 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) After you have secured the equipment, you must also control access to the building itself. A common method is to have a locked door or barrier that requires an employee ID to enter. A sign-in sheet is also a good way to track who enters and exits your office. The level of effort put into securing physical access to the building will vary depending on the organization’s security needs. A mantrap is an often-used security mechanism in high-security environments. A mantrap consists of two doors with a short hallway between them. The second door cannot open until the first door is closed. This prevents tailgating, which is the process of an unauthorized person following an authorized person through a secure door. This can be further enhanced by having each door use a different authentication method. Perhaps the first door requires a key and the second requires a passcode. This two-factor authentication system would be difficult for an intruder to circumvent. Other methods of securing building access include the external areas of a building. For example, a parking lot can be designed so that a person must make turns every fifty (50) feet or so to exit. This prevents a thief or intruder from “speeding away” and makes it more likely that someone will be able to note their license plate, or that even police might arrive before they escape. Fences are also important. Having some level of fencing is essential. High-security environments might use a tall fence, even topped with concertina wire. This might not be appropriate for many organizations, but even a decorative hedgerow provides some level of barrier to slow down intruders. Lighting is also important. Intruders usually prefer to enter in the dark to reduce the chance of being noticed or even caught. A well-lighted external building impedes intruders’ intentions to enter surreptitiously. Furthermore, internal lighting can also be helpful. You probably notice that many retail stores leave the store lights on after closing. This allows passing police officers to easily see whether someone is in the building. Monitoring Video monitoring is becoming more affordable and more sophisticated. High-definition video cameras, including cameras with night vision capability, are now fairly inexpensive. Retail stores often find that by placing cameras in highly visible areas, the incidence of theft declines. Stoplights equipped with cameras usually reduce the number of people who run red lights. Placing cameras in or around your facility requires a little bit of thought. First and foremost, the cameras must be placed so that they have an unobstructed view of the areas you want to monitor. At a minimum, all entrances and exits should have camera monitoring. You might also want cameras in main internal hallways, just outside critical areas (that is, server rooms), and possibly around the perimeter of your building. The cameras also need to be placed Page | 19 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) so that they are not easily disabled by an intruder. This usually means placing them at a height that is difficult for someone to reach. You should consider the type of cameras you are placing. If you don’t have adequate external lighting, then night vision-capable cameras are important. You might want cameras that transmit their signal to a remote location for storage. If you choose to transmit the camera feed, make sure the signal is secure so that someone cannot easily tap into the signal. Fire Protection Obviously, a fire will destroy servers and other equipment. Having adequate fire alarms and fire extinguishers in your facility is important. Fire extinguishers can be classified by what types of fire they are able to put out: ▪ Class A: Ordinary combustibles such as wood or paper. ▪ Class B: Flammable liquids such as grease, oil, or gasoline. ▪ Class C: Electrical equipment. ▪ Class D: Flammable metals. Fire suppression systems are common in large office buildings. These systems are divided into three (3) categories: ▪ Wet Pipe. ▪ Always contains water. ▪ Most popular and reliable. ▪ 265-degree fuse melts. ▪ Can freeze in winter. ▪ Pipe breaks can cause floods. ▪ Dry Pipe. ▪ No water in pipe. ▪ Preferred for computer installations. ▪ Water held back by clapper. ▪ Air blows out pipe, water flows. ▪ Pre-action. ▪ Usually recommended for computer rooms. ▪ Basically operates like a dry pipe. ▪ When a certain temperature is reached, water goes into the pipe, then is released when a higher temperature is reached. Having a plan to address fires is important. Depending on budget and security needs, your plan can be as simple as well-placed smoke alarms and a fire extinguisher or as complex as a series of fire suppression systems with an alarm system that automatically notifies the fire department. Disaster Recovery Page | 20 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) A disaster is any event that significantly disrupts your organization’s operations. A hard drive crash on a critical server is a disaster. Other examples include fire, earthquake, your telecom provider being down, a labour strike that effects shipping to and from your business, and a hacker deleting critical files. Just keep in mind that any event that can significantly disrupt your organization’s operations is a disaster. Disaster Recovery Plan You should have a disaster recovery plan (DRP) in place to guide the return of the business to normal operations. This must include a number of items. You must address personnel issues, which means being able to find temporary personnel if needed, and being able to contact the personnel you have employed. It also includes having specific people assigned to specific tasks. If a disaster occurs, who in your organization is tasked with the following? ▪ Locating alternative facilities. ▪ Getting equipment to those facilities. ▪ Installing and configuring software. ▪ Setting up the network at the new facility. ▪ Contacting staff, vendors, and customers. These are just few issues that a disaster recovery plan must address; your organization may have more issues that would need to be addressed during disaster. Business Continuity Plan A business continuity plan (BCP) is similar to a disaster recovery plan but with a different focus. The DRP is designed to get the organization back to full functionality as quickly as possible. A business continuity plan is designed to get minimal business functions back up and running at least at some level so you can conduct some type of business. An example would be a retail store whose credit card processing system is down. Disaster recovery is concerned with getting the system back up and running at full functionality, essentially like the disaster never happened. Business continuity is concerned with simply offering a temporary solution, such as processing credit cards manually. To successfully formulate a business continuity plan, one must consider which systems are most critical for your business and have an alternative plan in case those systems go down. The alternative plan needs to be perfect, just functional. Determining Impact on Business Page | 21 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Before you can create a realistic DRP or BCP you have to do a business impact analysis (BIA) of what damage to your organization a given disaster might cause. Consider a web server crash. If your organization is an e-commerce business, then a web server crash is a very serious disaster. However, if your business is an accounting firm and the website is just a way for new customers to find you, then a web server crash is less critical. You can still do a business and earn revenue while the web server is down. You should make a spreadsheet of various likely or plausible disasters and do a basic business impact analysis for each. An issue to consider in your BIA includes the maximum tolerable downtime (MTD). How long can a given system be down before the effect is catastrophic and the business is unlikely to recover? Another item to consider is the mean time to repair (MTTR). How long is it likely to take to repair a given system if it is down? You must also consider the mean time between failures (MTBF). In other words, how frequently does this particular service or device fail? These factors help you to determine the business impact of a given disaster. All of this data will lead you to a recovery time objective (RTO). That is the time by which you intend to have a service back up and running, should there be a failure. This should always be less than the MTD. For example, if the MTD for your e-commerce server is forty-eight (48) hours, your RTO might be set at thirty-two (32) hours, providing a significant margin of error. Another important concept is recovery point objective (RPO). This is how much data you can tolerate losing. Imagine you do backup every ten (10) minutes. If the server you are backing up fails seconds before the next backup, you will have lost nine (9) minutes and about fifty-five (55) to fifty-nine (59) seconds of work/data. That will all have to be redone manually. Is this tolerable? That depends on your organization. Testing Disaster Recovery Once you have both a DRP and a BCP, you need to periodically test those plans to ensure they will actually work as expected. There are five (5) types of tests, in order from the least intrusive, easiest to conduct, to the most difficult but most informative type of test. Document Review/Checklist This type of testing is usually done by an individual. The BCP and /or DRP are simply reviewed to see if everything is covered. They are compared to check lists, perhaps check lists from various standards (like PCI). Walkthrough/Tabletop This is a team effort. A team sits in a conference room and goes through the BCP and/or DRP and discusses scenarios. For example, “What if there was a fire in the server room?” Then the plans are consulted to see if that is covered adequately and appropriately. Page | 22 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Simulation The purpose of this type of test is to simulate some sort of disaster. A team or an individual might conduct this type of test. It involves moving around in the organization and asking specific individuals “what if” scenarios. For example, you might ask the database administrator “What is the plan should our financial data server crash now?” The purpose of this is to see if everyone knows what to do if a disaster occurs. Parallel This test is about seeing if all backup systems come online. That would include restoring backup media, turning on backup power systems, initializing secondary communications systems, etc. Cut-off/Full Interruption This is the ultimate test. You actually shut down real systems and see if the BCP/DRP works. From one perspective, if you do not ever do this level of testing, then you do not really know if your plans will work. However, if this goes wrong, then you have just caused a disaster. To avoid generating a disaster, there are some steps you can take. The first is to not even consider this test until you have successfully completed the previous tests. In fact, all of these tests should be done in order. First, do a document/check list. If and only if that is successful, then move to a tabletop. Then if that works move to a simulation. Secondly, you should schedule this type of test during downtime for the company. At a time when, if things go wrong. It will cause the least impact on the business. For example, if this is a ban, then do not do this test Monday morning. Perhaps Saturday afternoon would be best. This would give you a chance to fix anything that goes wrong. Fault Tolerance At some point, all equipment fails, so being fault tolerant is important. At the most basic level fault tolerance for a server means having a backup. If the server fails, did you back up the data so you can restore it? Although database administrators might use a number of different types of data backups, from a security point of view the three-primary backup types are:\ ▪ Full: All changes. ▪ Differential: All changes since last full backup. ▪ Incremental: All changes since last backup of any type. Consider a scenario where you do a full back up at 2:00 a.m. each morning. However, you are concerned about the possibility of a server crash before the next full backup. Therefore, you want to do a backup every two (2) hours. The type of backup you choose will determine the efficiency Page | 23 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) of doing those frequent backups and the time needed to restore. Let us consider each type of backup in a crash scenario and what would happen if the system crashes at 10:05 a.m. ▪ Full: In this scenario you do a full back up at 4:00 a.m., 6:00 a.m.…10:00 a.m., and then the system crashes. You just have to restore the last full backup, which was done at 10:00 a.m. This makes restoration much simpler. However, running a full back up every two (2) hours is very time consuming and resource intensive and will have a significant negative impact on your server’s performance. ▪ Differential: In this scenario you do a differential backup at 4:00 a.m., 6:00 a.m.…10:00 a.m., and then the system crashes. You need to restore the last full backup done at 2:00 a.m., and the most recent differential backup done at 10:00 a.m. This is just a little more complicated than the full backup strategy. However, those differential backups are going to get larger each time you do them and thus more time consuming and resource intensive. Although they will not have the same impact as doing full backups, they will still slow down your network. ▪ Incremental: In this scenario you do an incremental backup at 4:00 a.m., 6:00 a.m., …10:00 a.m., and then the system crashes. You need to restore the last full backup done at 2:00 a.m., and then each incremental backup done since then, and they must be restored in order. This is a much more complex restore, but each incremental backup is small and does not take much time nor consume many resources. There is no “best” backup strategy. Which one you select will depend on your organization’s needs. Whatever backup strategy you choose, you must periodically test it. The effective way to test your backup strategy is to actually restore the backup data to a test machine. The other fundamental aspect of fault tolerance is Redundant Array of Independent Disks (RAID). RAID allows your severs to have more than one hard drive, so that if the main hard drive fails, the system keeps functioning. The primary RAID levels are described here: ▪ RAID 0 (Striped Disks) distributes data across multiple disks in a way that gives improved speed at any given instant. This offers NO fault tolerance. ▪ RAID 1 Mirrors the contents of the disks, making a form of 1:1 ratio real-time backup. This is also called mirroring. ▪ RAID 3 or 4 (Striped disks with dedicated parity) combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storge capacity of the array is reduced by one disk. ▪ RAID 5 (Striped disks with distributed parity) combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3 but the is not stored on one dedicated drive; instead, parity information is interspersed across the Page | 24 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity. ▪ RAID 6 (Striped disks with dual parity) combines four or more disks in a way that protects data against loss of any two disks. ▪ RAID 1+0 (or 10) is a mirrored data set (RAID 1) that then striped (RAID 0), hence the “1+0” name. A RAID 1+0 array requires a minimum of four drives: two mirrored drives to hold half of the striped data, plus another two mirrored for the other half of the data. Difference Between Information Technology and Information Systems The field of Information Systems is constantly growing, and it offers a variety of job options for those interested in pursuing a technology-related career. But what is really the difference between Information Systems and Information Technology? These terms are often confused or considered to be interchangeable when they are actually two different paths that appeal to different skillsets and disciplines. What is Information Technology? Information Technology, is the study, design, implementation, support or management of computer-based Information Systems. It focuses on maintaining the system’s hardware, software, databases and network with the end goal of communicating to users how to best utilize its functionality. An online IT degree equips students to think critically and innovatively solve business problems via technology, and it covers a breadth of disciplines, including computer software, cyber and data security and project management. What is Information Systems? Information Systems refers to the management of an entire set of information and it includes not only the technology components involved but the people and processes as well. Information Systems degree coursework ranges from programming to communications helping students learn both the tech planning and business management sides of the field and how to implement these Information Systems to internally support companies and organizations. What is the major difference between Information Technology Versus Information Systems? Both Information Technology and Information Systems deals with computer-based systems to an extent, but require different education and training. Think of Information Technology as a subset of Information Systems while Information Systems covers the set of Information as a whole, Information Technology refers specifically to the technology aspect within that system. The field of Information Systems works as the bridge between technology and people, whereas Information Page | 25 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Technology focuses on helping them utilize and make sense of that system. The two disciplines are quite related, but have distinct sets of learnings and clear paths. Information Technology Courses: A Bachelor of Science in Information Technology degree combines the practice and skills needed to build technical solutions, as well as the business theory to effectively apply them in the workplace. Information Technology courses such as Computer Organization & Architecture and Database Systems & Management are designed to help students become critical thinkers and technological problem-solvers. Information Systems Courses: With a Bachelor of Arts in Business Information Systems degree, students become fluent in the development and operations of Information Systems and information sharing. With a course list that comprises of Business Law, Database Management Systems and Business Systems Analysis, students will hone the technical and conceptual skills needed to manage the future of Information Technology. Information Technology Careers: There is quite a variety of options for those with an Information Technology degree, as technology is making a greater and greater impact on the business world. The Information Technology Careers includes: ▪ Computer and Information Research Technologist ▪ Computer Network Architects ▪ Computer Systems Analysts ▪ Information Security Analysts ▪ Software Developers, Applications Software ▪ Software Developers, Systems Software ▪ Web Developers Information Systems Careers: With and increasing need for innovative Information Systems in the workplace, there are quite a number of opportunities for job growth in this field. The Information Systems Career options includes: ▪ Systems Trainer ▪ Support Specialist ▪ E-commerce Developer ▪ Enterprise Systems Manager ▪ Information Resource Manager ▪ Technology Consultant ▪ Business Analyst Page | 26 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) ICT Careers and Job Types: It's good to know the different career streams available in information technology (IT) and information and communications technology (ICT). Each job has a distinctive set of required skills and personal traits. Almost all IT jobs depend on strong technical knowledge. But each has a different emphasis, whether the job centres on coding, managing hardware, applying software, data science or managing systems or people. This list of 22 careers and major job types was constructed by researching which jobs require an IT background. Having an IT or similar degree would be an asset for each career. Business Analyst: Business analysts examine an organization (or part of a business) to determine how to better achieve goals. Almost always, there is a strong information technology component. That's because IT is integral to modern business operations. For example, analysts may scope out the potential effects of changing computer software. Analysts need to be adaptable because job requirements vary from company to company. To become a business analyst, you will probably need to obtain an entry-level position in the field and build a career from there. Business education in addition to advanced IT training confers an advantage. Job Titles: business analyst, business and technology analyst, business development manager (ICT/networking), ICT business analyst, IT continuity risk analyst, manager (business systems maintenance), pre-sales customer technology strategist, reporting analyst, reporting and insights specialist, senior data business analyst, senior digital reporting analyst, senior forecast analyst, senior insights analyst, team leader (IT business systems). Computer Service Technician: Computer service technicians (also referred to as computer repair technicians) repair computer hardware and software. Some of the common tasks are replacing defective components, removing spyware and viruses, dissembling hardware, and running diagnostic tests. If a job in this field is your goal, start getting as much experience as you can in assembling and repairing computers. Page | 27 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) CompTIA A+ certification is a helpful qualification. Also consider completing a program at a tech school or college. Job Descriptions: CSI technician, computer service technician, field technician, ICT service technician, ICT support technician, IT support technician, IT systems technician, onsite support technician. Cyber Security Specialist: Cyber security specialists protect the security of computer systems and networks. They need broad technical knowledge since security is an important consideration across most parts of a modern computer system. An IT-related degree is normally required for cyber security specialist jobs. Experience is critical for all but graduate or assistant positions, and certifications may give you a strong advantage over other applicants. Cyber security specialists enjoy an excellent average salary. Demonstrated expertise in a difficult field can place you in a commanding career position. Job Titles: cyber security analyst, deputy director (operational cyber security), director (service operations and security), ICT risk and security specialist, ICT security analyst, ICT security specialist, information security manager, information security officer, IT security consultant, IT security engineer, IT security operations officer, IT security operations specialist, IT security specialist, security sales specialist (cyber security), senior systems officer (security). Data Analyst: These professionals develop insight and gain information through the collection, analysis and interpretation of data. They work for businesses and other types of organizations, identifying and helping to solve problems. As a data analyst, you will use programming and computer software skills to complete statistical analysis of data. If you want to start a career as a data analyst, learn some programming languages and get a bachelor's degree in Information Technology and Data Analysis. Job Titles: academic data analyst, associate data analyst, data analyst, data analyst-digital, data classification analyst, data quality analyst, digital data analyst, junior data analyst, marketing data analyst, master data analyst, people data analyst, privacy and data protection senior analyst, property data analyst, senior data analyst. Data Centre Technician: As a data centre technician, you are instrumental in maintaining computer hardware networks and data servers. The data centre technician is necessary to keep a company’s data safe and secure. Duties and responsibilities include: Server repair and management Maintain equipment to prevent problems Monitoring system processes Protect data through cross-collaboration Providing technical education and support Page | 28 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) To thrive as a data centre technician, you need skills in IT computer networking, hardware repair, troubleshooting and inventory management. You also need top-notch communication skills, including expertise in technical writing. In this career, you need to be able to work on your feet for long stretches and carry heavy-ish objects. Most employers strongly prefer candidates with either a bachelor or associate’s degree in a relevant technology field. Job Descriptions: data centre technician, data centre technician lead, data centre technician lead, data centre IT support engineer, data centre facility management, data centre operations manager, entry level data centre technician, technical applications technician, technical consultant Data Scientist: A data scientist is in the same broad career stream as a data analyst. Perhaps the main different is that data scientists are expected to use advanced programming skills more routinely. They don't just gain insights from data, but also do things like building complex behavioural models using big data. You can transition from being a data analyst to a data scientist. A master's degree in data science is a way to get into this line of work. Job Titles: data analyst/scientist, data engineer, data science consultant, data scientist, data scientist-machine learning, director-data science, junior data analyst/scientist, lead data scientist, lecturer-data science, senior data analyst/scientist. Database Administrator: Database administrators (DBAs) handle database security, integrity, and performance. They ensure data standards are consistent, data is accessible by users as needed, and they solve any problems encountered by users. These professionals might also be involved in database planning and development. A degree in an IT-related field is usually required and it’s useful to have programming experience. Experienced DBAs have strong applied knowledge of database operating systems and technologies. Job Titles: database administrator, e-health systems administrator, ICT database administrator, information management officer, senior information management specialist. Database Analyst: Database analysts design, evaluate, review, and implement databases. In doing so, they organize and analyze collected information. They are often hired to update and maintain existing databases. To gain employment in this field, you generally need a degree in computer science or another IT field. Software development experience is also required for some jobs. Useful strengths include data modelling, database queries creation, and PHP, HTML, CSS, Javascript and SQL programming languages. Page | 29 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Job Titles: asset knowledge systems analyst, data analyst and information manager, database analyst, database coordinator/analyst. Hardware Engineer: Hardware engineers (also referred to as computer hardware engineers) oversee the manufacture and installation of computer systems, servers, circuit boards, and chips, as well as the testing of equipment. They also work with routers, printers, and keyboards. People wanting a career in this lucrative field require a degree in computer engineering. Depending on the employer, a degree in electrical engineering or computer science might be an acceptable alternative. Creativity and good communications skills are useful complements to technical skills. Job Titles: computer hardware engineer, hardware engineer, hardware test engineer, research assistant/junior engineer. IT Consultant: IT consultants are professionals with significant IT experience and the confidence to find work by competing for service contracts. While they are often independent contractors, regular employment is sometimes available with large manufacturers of software and computing equipment; software and systems house; and management consultancy firms. IT consultants can find clients across most industries. You can choose to specialize in fields such as security, software for a specific market, internet solutions, or web design. Job Descriptions: associate technical specialist, environmental management information systems (emis) consultant, ICT contracts specialist, ICT project support officer, ICT security consultant, IT consultant, Oracle application technical consultant, senior IT recruitment consultant, senior technical specialist, senior technology specialist, test consultant. IT Manager: IT managers are responsible for the electronic networks and IT teams of organizations. They ensure information system requirements are fulfilled. The job can be mainly supervisory at senior levels within large organizations. For small business, it can instead be very hands on. IT managers can work within organizations or as consultants doing discrete projects. Several years of experience in the field is normally required to take on a senior role and you can benefit from doing an IT management masters. Job Titles: chief technology manager, client delivery manager, ICT category manager, ICT coordinator, ICT project manager, ICT program director, ICT procurement officer, ICT resource officer, information and communication technology (ICT) officer, information technology coordinator, IT administrator, IT manager, IT project administrator, project manager (information systems), program director, technical operations manager. Multimedia Developer: Multimedia developers are skilled in computer programming and visual artistry. They design software and create multimedia applications by generating and manipulating animations, graphic images, text, sound, and video. Some examples of applications include multimedia presentations, Page | 30 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) educational and entertainment products, and computer-based interactive training. You might consider this career if you’re an IT-graduate strong in visual arts. While a degree is useful, many people also start work in the field with only a relevant certificate. Job Titles: digital content producer, e-Content development specialist, multimedia coordinator, multimedia developer, multimedia producer, multimedia specialist, software developer, web producer. Network Administrator: This professional manages and troubleshoots computer networks. The network administrator is responsible for organizing and maintaining computer systems. He or she is often at the highest level of an organization’s technical staff. To become a network administrator, you will need a degree in an IT-related field. Employers also look for network-specific experience. Specialized certification in network administration might also be required. Most professionals in this area complete high-level training in specific hardware or software used in the network. Job Titles: ICT network and systems administrator, network administrator, network and systems administrator, network infrastructure administrator. Network Engineer: Network engineers design and set up networks. Duties may include placing physical equipment, setting up electronic equipment needed to activate equipment, and determining the appropriate antenna to ensure the best possible coverage. A career in this field frequently requires a computer science or closely related degree. Specialized certification is worth pursuing as it gives you an advantage in job search. Network engineers enjoy impressive salaries. Job Titles: ICT network and systems engineer, network engineer, network project specialist, senior network engineer. Programmer: While software developers design applications, it’s programmers who write the code needed for programs to function. Programmers also test software and update existing software. Many are employed by software companies. Necessary soft skills include problem solving, reading comprehension, active listening, attention to detail, and critical thinking. You might consider entering this field if you enjoy working with code for extended periods and testing the power of programming languages. As experience is an important asset, it’s helpful to do an internship or gain other hands-on experience while completing your formal education. Job Titles: digital back-end developer, game programmer, graduate analyst/programmer, machine programmer, programmer, SAS programmer, senior analyst programmer, SQL programmer, test consultant, UI programmer. Software Analyst: Software analysts bring software solutions to the people. They are the ones who connect the work of software developers to the use of software in the workplace. They help organizations develop Page | 31 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) software solutions to fit their needs. To succeed in this field, you should be strong at both computer programming and dealing with people. Many software analyst jobs require a degree in computer science or a related discipline. Some employers might additionally ask for expertise in the industry (such as finance or healthcare). A related role to software analysis is ICT software sales. Job Titles: enterprise solution architect, ICT sales representative, implementation analyst, lead application analyst, national applications specialist, research intelligence analyst, senior application analyst, software analyst. Software Developer: Employers may use the term “software developer” interchangeably with “software engineer”. However, be aware that a “software engineering” job might specifically require you to apply engineering principles to software creation. Professionals in software development create and build out software. They provide detailed instructions and guidelines for the programmers who write the code. Occasionally, developers will code themselves. A bachelor’s degree is required for most positions in this field, which produces excellent salaries. Job Titles: applications support engineer, data visualization developer, enterprise reporting and ETL developer, ICT applications development specialist, ICT engineer, ICT senior drupal developer, python developer, python/integration developer, senior software engineer, senior user experience designer, software application integrator, software developer, software engineer, team leader (applications support), technical lead (applications delivery). Systems Administrator: Systems administrators (or managers) configure, maintain, and ensure the continued reliability of computer systems. They mostly deal with multi-use computers, including severs. An organization’s system administrator manages IT infrastructure, including servers and network equipment. The role is essential to the successful operation of any company with a computer system. A degree in a field such as information technology or computer science is often required for administrator positions. Job Titles: client services and information officer, ICT network and systems administrator, ICT systems administrator, ICT systems manager, information and user support officer, linux systems administrator, people systems administrator, senior Windows system administrator, software administrator, systems administrator, system administration support officer, systems operation manager. Systems Analyst: Systems analysts use their expertise to introduce computer systems, or to modify existing systems as a way to boost technical efficiency and business productivity. For a given job, the starting point may be to assess the client’s system requirements. You then formulate solutions based on the latest technologies and considering the budget constraint. A computer science, information management systems, or other IT-related degree is necessary to make you competitive in this field. You also need relevant work experience, as well as programming knowledge and project management skills. Page | 32 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Job Titles: applications support analyst, asset knowledge systems analyst, cluster IT specialist, e- Services systems team lead, ICT procurement sourcing analyst, ICT support analyst, ICT systems/data support analyst, ICT systems trainer, incident response analyst, infra support analyst, senior spatial information team leader (IT business systems), support analyst technical analyst officer, systems analyst. Systems Engineer: Systems engineers design, set up and manage computer systems. They often work closely with programmers, administrators and engineers. These professionals not only develop and test but also evaluate personal computers, circuits, software, and other system elements. If you want to become a systems engineer, you will probably need a computer science, information technology, or engineering degree. You will also need to develop excellent communication and organization management skills. Job Titles: control systems engineer, ICT network and systems engineer, ICT systems engineer, senior/principal ICT engineer, senior systems engineer, systems administration field support engineer, systems developer (database applications), systems engineer, senior support engineer. Tech Support: Tech support workers (help desk technicians) give essential technical support and troubleshooting services to end-users. In-house technicians provide support exclusively for employees of the company, while remote help desk technicians provide technical support to customers (mostly online). The job requires a strong understanding of software and computer hardware, and excellent communication skills. The role is generally considered entry-level where you provide customer service directly (and doesn’t necessarily require an IT degree). Senior positions are also available where you organize and manage support teams and/or systems. Job Titles: desktop administrator, ICT helpdesk technician, ICT on-site support engineer, ICT service desk officer, ICT service support officer, ICT support officer, IT service desk analyst desktop support technician, field service technician, field tech coordinator, IT support specialist, school technical officer, tech support, technical support officer, technology support officer. Web Developer: Web developers design and establish websites. They are skilled in both programming and the design of pages, navigation and user interfaces. Knowledge of search engine optimization techniques is often important. Some jobs in this field require a bachelor’s degree in a relevant field, but all demand experience (which can be easily gained by creating a website). Web developers can find work in a variety of different workplaces since many different types of organizations need a strong web presence. Job Titles: e-learning specialist, freelance web designer, frontend web developer, junior web designer, python developer, python integration developer, quality assurance technician, responsive web developer, SEM assistant, web designer, web developer, web developer internship. Page | 33 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA IMT 508 (THE INFORMATION TECHNOLOGY PROFESSION) Graphics Designer: Data Quality Manager: Page | 34 INFORMATION TECHNOLOGY DEPARTMENT MODIBBO ADAMA UNIVERSITY, YOLA

IMT 508 (The Information Technology Profession) Lecture Note.pdf

Document Details

Tags

Related

Full Transcript