Unit 27 - IT Systems and Business Continuity PDF
Document Details
Uploaded by Deleted User
IIA
Tags
Summary
This document is a study unit on IT systems and business continuity, focusing on topics from the IIA's CIA exam syllabus. It details functional areas of IT operations, enterprise-wide resource planning, and contingency planning.
Full Transcript
1 STUDY UNIT THIRTEEN IT SYSTEMS AND BUSINESS CONTINUITY 13.1 Functional Areas of IT Operations............................................ 1 13.2 Enterprise-Wide Resource Planning (ERP)................................
1 STUDY UNIT THIRTEEN IT SYSTEMS AND BUSINESS CONTINUITY 13.1 Functional Areas of IT Operations............................................ 1 13.2 Enterprise-Wide Resource Planning (ERP)..................................... 3 13.3 Web Infrastructure........................................................ 8 13.4 IT System Communications................................................ 11 13.5 Software Licensing....................................................... 17 13.6 Contingency Planning..................................................... 18 This study unit is the third of three covering Section VI: IT/Business Continuity from The IIA’s CIA Exam Syllabus. This section makes up 15% to 25% of Part 3 of the CIA exam and is tested at the awareness level. The relevant portion of the syllabus is highlighted below. (The complete syllabus is in Appendix A.) !"#$ %&!# '$ (' $)"( !"# $ %& ' ( ' # ) * ' + ( & ' *,-# - ,.# / 0 ( & . 12 32 ( 2# 4 0 5 6 7 8 !' 9 & & % ($(( #$$ 9 ' 13.1 FUNCTIONAL AREAS OF IT OPERATIONS In the early days of computing, maintaining a rigid segregation of duties was a simple matter because the roles surrounding a mainframe computer were so specialized. As IT became more and more decentralized over the years, clear lines that once separated jobs such as systems analyst and programmer became blurred and then disappeared. Candidates for the CIA exam must be aware of the evolving roles of IT personnel. 1. Segregation of Duties a. Organizational controls concern the proper segregation of duties and responsibilities within the information systems department. b. Controls should ensure the efficiency and effectiveness of IT operations. They include proper segregation of the duties within the IT environment. Thus, the responsibilities of systems analysts, programmers, operators, file librarians, the control group, and others should be assigned to different individuals, and proper supervision should be provided. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 2 SU 13: IT Systems and Business Continuity c. Segregation of duties is vital because a traditional segregation of responsibilities for authorization, recording, and access to assets may not be feasible in an IT environment. 1) For example, a computer may print checks, record disbursements, and generate information for reconciling the account balance, which are activities customarily segregated in a manual system. a) If the same person provides the input and receives the output for this process, a significant control weakness exists. Accordingly, certain tasks should not be combined. b) Thus, compensating controls may be necessary, such as library controls, effective supervision, and rational personnel. Segregating test programs makes concealment of unauthorized changes in production programs more difficult. 2. Responsibilities of IT Personnel a. Systems analysts are specifically qualified to analyze and design computer information systems. They survey the existing system, analyze the organization’s information requirements, and design new systems to meet those needs. The design specifications will guide the preparation of specific programs by computer programmers. 1) Systems analysts should not have access to data center operations, production programs, or data files. b. The database administrator (DBA) is the individual who has overall responsibility for developing and maintaining the database and for establishing controls to protect its integrity. 1) Thus, only the DBA should be able to update data dictionaries. 2) In small systems, the DBA may perform some functions of a database management system (DBMS). In larger applications, the DBA uses a DBMS as a primary tool. c. Programmers design, write, test, and document the specific programs according to specifications developed by the analysts. 1) Programmers as well as analysts may be able to modify programs, data files, and controls. Thus, they should have no access to the data center operations or to production programs or data. d. The webmaster is responsible for the content of the organization’s website. (S)he works closely with programmers and network technicians to ensure that the appropriate content is displayed and that the site is reliably available to users. e. Operators are responsible for the day-to-day functioning of the data center, whether the organization runs a mainframe, servers, or anything in between. 1) Operators load data, mount storage devices, and operate the equipment. Operators should not be assigned programming duties or responsibility for systems design. Accordingly, they also should have no opportunity to make changes in programs and systems as they operate the equipment. a) Ideally, computer operators should not have programming knowledge or access to documentation not strictly necessary for their work. f. Help desks are usually a responsibility of computer operations because of the operational nature of their functions. Help desk personnel log reported problems, resolve minor problems, and forward more difficult problems to the appropriate information systems resources, such as a technical support unit or vendor assistance. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 3 g. Information security officers are typically in charge of developing information security policies, commenting on security controls in new applications, and monitoring and investigating unsuccessful login attempts. h. Network technicians maintain the bridges, hubs, routers, switches, cabling, and other devices that interconnect the organization’s computers. They are also responsible for maintaining the organization’s connection to other networks, such as the Internet. i. End users must be able to change production data but not programs. 13.2 ENTERPRISE-WIDE RESOURCE PLANNING (ERP) 1. Overview a. Enterprise-wide resource planning (ERP) is the latest phase in the development of computerized systems for managing organizational resources. ERP is intended to integrate enterprise-wide information systems across the organization by creating one database linked to all of the entity’s applications. b. ERP connects all functional subsystems (human resources, the financial accounting system, production, marketing, distribution, purchasing, receiving, order processing, shipping, etc.) and also connects the organization with its suppliers and customers. 1) Thus, ERP facilitates demand analysis and materials requirements planning. 2) By decreasing lead times, it improves just-in-time inventory management. 3) Even more importantly, ERP’s coordination of all operating activities permits flexible responses to shifts in supply and demand. c. The disadvantages of ERP are its extent and complexity, which make customization of the software difficult and costly. d. The leading products in the field are R/3, distributed by SAP, and JD Edwards EnterpriseOne and PeopleSoft Enterprise, both distributed by Oracle. e. Because ERP software is costly and complex, it is usually installed only by the largest enterprises. However, mid-size organizations are increasingly likely to buy ERP software. f. The benefits of ERP may significantly derive from the required business process reengineering. 1) Using ERP software that reflects the best practices forces the linked subunits in the organization not only to redesign and improve their processes but also to conform to one standard. 2) An organization may wish to undertake a reengineering project before choosing ERP software. The project should indicate what best practices already exist in the organization’s processes. This approach may be preferable for a unique enterprise in a highly differentiated industry. a) Carrying out a reengineering project before installing an ERP system defines what process changes are needed and which vendor software should be used. b) If the organization is not especially unique, vendor software probably is already based on industry best practices. In these circumstances, a preliminary reengineering project may not be needed. Thus, the organization should simply conform its processes to the software. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 4 SU 13: IT Systems and Business Continuity 3) The processes reflected in the ERP software may differ from the organization’s. In this case, the better policy is usually to change the organization’s processes. Customizing the ERP software is expensive and difficult, and it may result in bugs and awkwardness when adopting upgrades. a) Implementing an ERP system is likely to encounter significant resistance because of its comprehensiveness. Most employees will have to change ingrained habits and learn to use new technology. Hence, successful implementation requires effective change management. 2. Functions of a Traditional ERP a. Materials requirements planning (MRP) was an early attempt to create an integrated computer-based information system. It was designed to plan and control materials used in a production setting. 1) MRP is a push system. It assumes that the demand for materials is typically dependent upon some other factor, which can be programmed. Thus, the timing of deliveries is vital to avoid production delays. 2) For example, an auto manufacturer need only tell the system how many autos of each type are to be manufactured. The MRP system then generates a complete list of every part and component needed. MRP, in effect, creates schedules of when items on inventory will be needed in the production departments. a)If parts are not in stock, the system will automatically generate a purchase order on the proper date (considering lead times) so that deliveries will arrive on time. Hence, effective application of MRP necessitates the generation of accurate data about costs and amounts of inventory, setup costs, and costs of downtime. b. Manufacturing resource planning (MRP II) continued the evolution begun with MRP. It is a closed-loop manufacturing system that integrates all facets of a manufacturing business, including production, sales, inventories, schedules, and cash flows. The same system is used for the accounting, finance, and directing functions, which use the same transactions and numbers. 1) MRP II includes forecasting and planning capacities for generating cash and other budgets. 2) MRP II uses an MPS (master production schedule), which is a statement of the anticipated manufacturing schedule for selected items for selected periods. MRP also uses the MPS. Thus, MRP is a component of an MRP II system. c. The traditional ERP system is one in which subsystems share data and coordinate their activities. 1) Thus, if marketing receives an order, it can quickly verify that inventory is sufficient to notify shipping to process the order. a) Otherwise, production is notified to manufacture more of the product, with a consequent automatic adjustment of output schedules. b) If materials are inadequate for this purpose, the system will issue a purchase order. c) If more labor is needed, human resources will be instructed to reassign or hire employees. d) The foregoing business processes (and others) should interact seamlessly in an ERP system. Moreover, the current generation of ERP software also provides the capability for smooth (and instant) interaction with the business processes of external parties. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 5 2) The subsystems in a traditional ERP system are internal to the organization. Hence, they are often called back-office functions. The information produced is principally (but not exclusively) intended for internal use by the organization’s managers. 3. Current Generation a. The current generation of ERP software (ERP II) has added front-office functions. These connect the organization with customers, suppliers, shareholders or other owners, creditors, and strategic allies (e.g., the members of a trading community or other business association). Accordingly, an ERP II system has the following interfaces with its back-office functions: 1) Supply-chain management applications for an organization focus on relationships extending from its suppliers to its final customers. Issues addressed include distribution channels, warehousing and other logistical matters, routing of shipments, and sales forecasting. a) In turn, one organization’s supply chain is part of a linked chain of multiple organizations. This chain stretches from the producers of raw materials, to processors of those materials, to entities that make intermediate goods, to assemblers of final products, to wholesalers, to retailers, and lastly, to ultimate consumers. b) Supply chain management involves a two-way exchange of information. For example, a customer may be able to track the progress of its order, and the supplier may be able to monitor the customer’s inventory. Thus, the customer has better information about order availability, and the supplier knows when the customer’s inventory needs replenishment. c) An advanced planning and scheduling system may be an element of a supply chain management application for a manufacturer. It controls the flow of material and components within the chain. Schedules are created given projected costs, lead times, and inventories. 2) Customer relationship management applications extend to customer service, finance-related matters, sales, and database creation and maintenance. a) Integrated data is helpful in better understanding customer needs, such as product preference or location of retail outlets. Thus, the organization may be able to optimize its sales forecasts, product line, and inventory levels. i) Business intelligence software is used to analyze customer data. 3) Partner relationship management applications connect the organization not only with such partners as customers and suppliers but also with owners, creditors, and strategic allies (for example, other members of a joint venture). a) Collaborative business partnerships may arise between competitors or arise between different types of organizations, such as a manufacturer partnering with an environmental group. Special software may be helpful to the partners in sharing information, developing a common strategy, and measuring performance. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 6 SU 13: IT Systems and Business Continuity 4. Configuration a. The following are the main elements of the architecture of an ERP: 1) Current ERP systems have a client-server configuration with possibly scores or hundreds of client (user) computers. a) So-called thin clients have little processing ability, but fat clients may have substantial processing power. b) The system may have multiple servers to run applications and contain databases. c) The network architecture may be in the form of a local area network or wide-area network, or users may connect with the server(s) via the Internet. d) An ERP system may use almost any of the available operating systems and database management systems. b. An advantage of an ERP system is the elimination of data redundancy through the use of a central database. In principle, information about an item of data is stored once, and all functions have access to it. 1) Thus, when the item (such as a price) is updated, the change is effectively made for all functions. The result is reliability (data integrity). a) If an organization has separate systems for its different functions, the item would have to be updated whenever it was stored. Failure of even one function to update the item would cause loss of data integrity. For example, considerable inefficiency may arise when different organizational subunits (IT, production, marketing, accounting, etc.) have different data about prices and inventory availability. c. An organization may not have the resources, desire, or need for an ERP system with the greatest degree of integration (e.g., SAP R/3). 1) An alternative to a comprehensive system is a best-of-breed approach. Thus, an organization might install a traditional ERP system from one vendor and add e-commerce and other extended applications from separate niche vendors. a) An organization that adopts this approach needs to use middleware, that is, software that permits different applications to communicate and exchange data. This type of middleware is called an extended application interface. d. An ERP system that extends to customers, suppliers, and others uses Internet portals. In this case, a portal is a website through which authorized external users may gain access to the organization’s ERP. 1) Portals provide links to related websites and services (e.g., newsletters, email, and e-commerce capabilities). Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 7 5. Implementation a. Implementation of ERP may take years and cost millions. Moreover, a poor implementation may cause the project to fail regardless of the quality of the software. 1) However, more rapid and less costly implementation may be possible if no customization is done. b. The initial step is to do strategic planning and to organize a project team that is representative of affected employee groups. c. The second step is to choose ERP software and a consulting firm. 1) One possibility is to choose the software before the consultants because the first decision may affect the second. 2) Another option is to hire consultants to help with the selection of the software. a) The organization may then hire other consultants to help with implementation. d. The third and longest step is preimplementation. 1) The length of the process design phase is a function of the extent of a) Reengineering b) Customization of the software 2) Data conversion may be delayed because all departments must agree on the meaning of every data field, i.e., what values will be considered valid for that field. 3) The ERP system and its interfaces must be tested. e. Implementation (“going live”) is not the final step. Follow-up is necessary to monitor the activities of the numerous employees who have had to change their routines. For example, a mistake caused by reverting to the old method of entering a sales order may have pervasive consequences in a new integrated system: a credit check, rescheduling of production, and ordering of materials. f. Training should be provided during implementation not only regarding technical matters but also to help employees understand the reasons for process changes. For example, the employees who enter sales orders should know what the effects will be throughout the system. 1) Other change management techniques include effective communication to allay employee fears and the creation of user-friendly documents and interfaces. 6. Costs a. The costs of an ERP system include 1) Losses from an unsuccessful implementation, e.g., sales declines 2) Purchasing hardware, software, and services 3) Data conversion from legacy systems to the new integrated system (but conversion software may help) 4) Training 5) Design of interfaces and customization 6) Software maintenance and upgrades 7) Salaries of employees working on the implementation Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 8 SU 13: IT Systems and Business Continuity 7. Benefits a. The benefits of an ERP system may be hard to quantify. They include 1) Lower inventory costs 2) Better management of liquid assets 3) Reduced labor costs and greater productivity 4) Enhanced decision making 5) Elimination of data redundancy and protection of data integrity 6) Avoidance of the costs of other means of addressing needed IT changes 7) Increased customer satisfaction 8) More rapid and flexible responses to changed circumstances 9) More effective supply chain management 10) Integration of global operations 13.3 WEB INFRASTRUCTURE 1. Overview a. The Internet is a network of networks all over the world. The Internet is descended from the original ARPANet, a product of the Defense Department’s Advanced Research Projects Agency (ARPA), introduced in 1969. 1) The idea was to have a network that could not be brought down during an enemy attack by bombing a single central location. ARPANet connected computers at universities, corporations, and government. In view of the growing success of the Internet, ARPANet was retired in 1990. b. The Internet facilitates inexpensive communication and information transfer among computers, with gateways allowing mainframe computers to interface with personal computers. 1) Very high-speed Internet backbones carry signals around the world and meet at network access points. c. Most Internet users obtain connections through Internet service providers (ISPs) that in turn connect either directly to a backbone or to a larger ISP with a connection to a backbone. 1) The topology of the backbone and its interconnections may once have resembled a spine with ribs connected along its length but is now almost certainly more like a fishing net wrapped around the world with many circular paths. d. The three main parts of the Internet are the servers that hold information, the clients that view the information, and the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols that connect the two. e. A gateway, often implemented via software, translates between two or more different protocol families and makes connections between dissimilar networks possible. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 9 2. Servers a. A server is generally a dedicated computer or device that manages specific resources. 1) A file server is a computer in a network that operates as a librarian. 2) A web server hosts a website. 3) An enterprise server manages computer programs that collectively serve the needs of an organization. b. One of the risks associated with having data centrally located is that data files may be subject to change by unauthorized users without proper documentation or any indication of who made the changes. 3. Mainframes to Desktops a. Large mainframe computers dominated the electronic data processing field in its first decades. 1) Mainframes were arranged so that all processing and data storage were done in a single, central location. 2) Communication with the mainframe was accomplished with the use of dumb terminals, simple keyboard-and-monitor combinations with no processing power (i.e., no CPU) of their own. b. The next stage in the evolution of networking was to connect computers not in different rooms of a building, but in separate buildings and eventually separate countries. 1) In all-digital networks, such as LANs (discussed in Subunit 13.4) and connections between dumb terminals and mainframes, repeaters are placed every so often to revive the digital signal and return it to its full square-wave shape. a) This is obviously not an option with the existing telephone network and its hundreds of thousands of miles of wire. b) The solution is simply to convert the computer’s digital signal into an analog signal (modulation), send it over the phone line, then reconvert it to a digital signal at the other end (demodulation). c) The device that performs these conversion and reconversion functions is a modem (short for modulator-demodulator). 2) The introduction of the modem allowed organizations to begin moving information between locations in purely electronic format, eliminating the need for the passage of physical documents. The potential for cost savings in this technology was obvious. c. Improvements in technology have led to increasing decentralization of information processing. 1) The mainframe-style computer was the only arrangement available in the early days of data processing. International Business Machines (now called IBM) dominated the marketplace. a) Mainframes are still in use at large institutions, such as governments, banks, insurance companies, and universities. i) However, remote connections to them are usually through desktop computers rather than through dumb terminals. This is known as terminal emulation. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 10 SU 13: IT Systems and Business Continuity b) In the 1980s, the minicomputer gave organizations the ability to perform data processing without the high cost and large dedicated facilities of a mainframe. Digital Equipment Corporation (DEC) and Hewlett-Packard (HP) dominated this market. c) As minicomputers evolved, the concept of distributed processing arose. i) Distributed processing involves the decentralization of processing tasks and data storage and assigning these functions to multiple computers, often in separate locations. ii) This allowed for a drastic reduction in the amount of communications traffic because data that were needed locally could reside locally. d) In 1981, IBM introduced the Personal Computer (PC). This designation quickly lost its status as a brand name and became a generic term for almost any computer smaller than a minicomputer. 2) During the 1980s, desktop computers, and the knowledge needed to build information systems, became widespread throughout the organization. a) In the early part of this period, the only means of moving data from one computer to another was the laborious process of copying the data to a diskette and physically carrying it to the destination computer. This method of connecting computers was called sneakernet, after the footwear involved. b) It was clear that a reliable way of wiring office computers together would lead to tremendous gains in productivity. 4. Languages and Protocols a. The Internet was initially restricted to email and text-only documents. 1) In the 1980s, English computer scientist Tim Berners-Lee conceived the idea of allowing users to click on a word or phrase (a hyperlink) on their screens and having another document automatically be displayed. 2) Berners-Lee created a simple coding mechanism called Hypertext Markup Language (HTML) to perform this function. He also created a set of rules called Hypertext Transfer Protocol (HTTP) to allow hyperlinking across the Internet rather than on just a single computer. He then created a piece of software, called a browser, that allowed users to read HTML from any brand of computer. The result was the World Wide Web (often simply called the Web). 3) As the use of HTML and its successor languages spread, it became possible to display rich graphics and stream audio and video in addition to displaying text. b. Extensible Markup Language (XML) was developed by an international consortium and released in 1998 as an open standard usable with many programs and platforms. XML is a variation of HTML (hypertext markup language), which uses fixed codes (tags) to describe how web pages and other hypermedia documents should be presented. 1) XML codes all information in such a way that a user can determine not only how it should be presented but also what it is; i.e., all computerized data may be tagged with identifiers. 2) Unlike HTML, XML uses codes that are extensible, not fixed. Thus, if an industry can agree on a set of codes, software for that industry can be written that incorporates those codes. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 11 3) For example, XML allows the user to label the Uniform Product Code (UPC), price, color, size, etc., of goods so that other systems will know exactly what the tag references mean. In contrast, HTML tags would only describe how items are placed on a page and provide links to other pages and objects. 4) Standards setters and other entities are attempting to find ways to incorporate XML with EDI. c. Extensible Business Reporting Language (XBRL) for financial statements is the specification developed by an AICPA-led consortium for commercial and industrial entities that report in accordance with U.S. GAAP. It is a variation of XML that is expected to decrease the costs of generating financial reports, reformulating information for different uses, and sharing business information using electronic media. 5. Uses a. With the explosive growth of the World Wide Web in the 1990s, whole new distribution channels opened up for businesses. Consumers could browse a vendor’s catalog using the rich graphics of the Web, initiate an order, and remit payment, all from the comfort of their homes. 1) An organization’s presence on the Web is constituted in its website. The website consists of a home page, which is the first screen encountered by users, and subsidiary web pages (screens constructed using HTML or a similar language). 2) Every page on the World Wide Web has a unique address, recognizable by any web-enabled device, called a Uniform Resource Locator (URL). However, just because the address is recognizable does not mean it is accessible to every user; security is a major feature of any organization’s website. b. An intranet permits sharing of information throughout an organization by applying Internet connectivity standards and web software (e.g., browsers) to the organization’s internal network. 1) An intranet addresses the connectivity problems of an organization with many types of computers. It is ordinarily restricted to those within the organization and to outsiders after appropriate identification. 2) An extranet consists of the linked intranets of two or more organizations, for example, of a supplier and its customers. It typically uses the public Internet as its transmission medium but requires a password for access. 13.4 IT SYSTEM COMMUNICATIONS 1. Systems Software a. Systems software performs the fundamental tasks needed to manage computer resources. The most basic piece of systems software is the operating system. b. An operating system is an interface among users, application software, and the computer’s hardware (CPU, disk drives, printers, communications devices, etc.). 1) z/OS is the most recent operating system for the IBM mainframe. 2) Server operating systems include Unix, Linux, Microsoft Windows Server, and Apple MacOS X Server. Inherent networking capabilities are an important part of server operating systems. 3) Microsoft Windows, Apple MacOS, and Linux are operating systems for desktop computers. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 12 SU 13: IT Systems and Business Continuity c. Utility programs are sometimes called privileged software. 1) Utilities perform basic data maintenance tasks, such as a) Sorting, e.g., arranging all the records in a file by invoice number; b) Merging, meaning combining the data from two files into one; and c) Copying and deleting entire files. 2) Utilities are extremely powerful. a) For instance, a utility program could be used to read a file that contains all user access codes for the network. A control feature to negate this vulnerability is to encrypt passwords before storing them in the file. b) In any case, the use of utility programs should be restricted to appropriate personnel, and each occurrence should be logged. 2. Network Equipment a. Networks consist of (1) the hardware devices being connected and (2) the medium through which the connection is made. b. Client devices. Devices of all sizes and functions (mainframes, laptop computers, personal digital assistants, MP3 players, printers, scanners, cash registers, ATMs, etc.) can be connected to networks. 1) Connecting a device to a network requires a network interface card (NIC). The NIC allows the device to speak that particular network’s “language,” that is, its protocol. 2) A development in the late 1990s called the thin client explicitly mimics the old mainframe-and-terminal model. a) A typical thin client consists merely of a monitor, a keyboard, and a small amount of embedded memory. The key is that it has no local hard drive. b) Essentially all processing and data storage is done on the servers. Just enough of an application is downloaded to the client to run it. c) An advantage of this architecture is the large amount of IT staff time and effort saved that formerly went to configuring and troubleshooting desktop machines. A disadvantage is that there must be 100% server availability for any work to be done by users. d) The thin client architecture has not met with widespread use because the cost of hard drives has continued to steadily decrease, defying predictions. 3. Data and Network Communication a. A protocol is a set of formal rules or conventions governing communication between a sending and receiving device. It prescribes the manner by which data is transmitted between these communication devices. In essence, a protocol is the envelope within which each message is transmitted throughout a data communications network. b. A network consists of multiple connected computers at multiple locations. Computers that are electronically linked permit an organization to assemble and share transaction and other information among different physical locations. c. A local area network (LAN) connects devices within a single office or home or among buildings in an office park. The LAN is owned entirely by a single organization. 1) The LAN is the network familiar to office workers all over the world. In its simplest form, it can consist of a few desktop computers and a printer. 2) A peer-to-peer network operates without a mainframe or file server, but does processing within a series of personal computers. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 13 3) This need led to the development of the local area network (LAN). A LAN is any interconnection between devices in a single office or building. a) Very small networks with few devices can be connected using a peer-to- peer arrangement, where every device is directly connected to every other. b) Peer-to-peer networks become increasingly difficult to administer with each added device. 4) The most cost-effective and easy-to-administer arrangement for LANs uses the client-server model. a) Client-server networks differ from peer-to-peer networks in that the devices play more specialized roles. Client processes (initiated by the individual user) request services from server processes (maintained centrally). b) In a client-server arrangement, servers are centrally located and devoted to the functions that are needed by all network users. i) Examples include mail servers (to handle electronic mail), application servers (to run application programs), file servers (to store databases and make user inquiries more efficient), Internet servers (to manage access to the Internet), and web servers (to host websites). ii) Whether a device is classified as a server is not determined by its hardware configuration but rather by the function it performs. A simple desktop computer can be a server. c) Technically, a client is any object that uses the resources of another object. Thus, a client can be either a device or a software program. i) In common usage, however, “client” refers to a device that requests services from a server. This understanding of the term encompasses anything from a powerful graphics workstation to a smartphone. ii) A client device normally displays the user interface and enables data entry, queries, and the receipt of reports. Moreover, many applications, e.g., word processing and spreadsheet software, run on the client computer. d) The key to the client-server model is that it runs processes on the platform most appropriate to that process while attempting to minimize traffic over the network. e) Security for client-server systems may be more difficult than in a highly centralized system because of the numerous access points. d. A metropolitan area network (MAN) connects devices across an urban area, for instance, two or more office parks. 1) This concept had limited success as a wire-based network, but it may be more widely used as a microwave network. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 14 SU 13: IT Systems and Business Continuity e. A wide area network (WAN) consists of a group of LANs operating over widely separated locations. A WAN can be either publicly or privately owned. 1) WANs come in many configurations. The simplest consists of one desktop computer using a slow dialup line to connect to an Internet service provider. 2) Publicly owned WANs, such as the public telephone system and the Internet, are available to any user with a compatible device. The assets of these networks are paid for by means other than individually imposed user fees. a) Public-switched networks use public telephone lines to carry data. This arrangement is economical, but the quality of data transmission cannot be guaranteed, and security is questionable. 3) Privately owned WANs are profit-making enterprises. They offer fast, secure data communication services to organizations that do not wish to make their own large investments in the necessary infrastructure. a) Value-added networks (VANs) are private networks that provide their customers with reliable, high-speed secure transmission of data. i) To compete with the Internet, these third-party networks add value by providing their customers with (a) error detection and correction services, (b) electronic mailbox facilities for EDI purposes, (c) EDI translation, and (d) security for email and data transmissions. b) Virtual private networks (VPNs) are a relatively inexpensive way to solve the problem of the high cost of leased lines. i) A company connects each office or LAN to a local Internet service provider and routes data through the shared, low-cost public Internet. ii) The success of VPNs depends on the development of secure encryption products that protect data while in transit. c) A private branch exchange (PBX) is a specialized computer used for both voice and data traffic. i) A PBX can switch digital data among computers and office equipment, e.g., printers, copiers, and fax machines. A PBX uses telephone lines, so its data transmission capacity is limited. 4. Classifying Networks by Protocol a. A protocol is a set of standards for message transmission among the devices on the network. b. LAN Protocols 1) Ethernet has been the most successful protocol for LAN transmission. The Ethernet design breaks up the flow of data between devices into discrete groups of data bits called “frames.” a) Ethernet is described as following the “polite conversation” method of communicating. i) Each device “listens” to the network to determine whether another conversation is taking place, that is, whether the network is busy moving another device’s message. ii) Once the network is determined to be free of traffic, the device sends its message. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 15 c. Switched Networks 1) As described earlier, in a LAN, all the devices and all the transmission media belong to one organization. a) This single ownership of infrastructure assets plus the ability to unify all communication on a single protocol make for great efficiency and security. 2) When communication must cross organizational boundaries or travel beyond a limited geographical range, this single ownership principle no longer applies. A WAN is the applicable model. a) A WAN, with its hundreds of users and much greater distances, could never function using the collision-detection-and-retransmission method of Ethernet. To overcome this, the technique called switching is used. 3) Switching takes two basic forms: a) In circuit switching, a single physical pathway is established in the public telephone system, and that pathway is reserved for the full and exclusive use of the two parties for the duration of their communication. i) An example is an ordinary landline telephone call or a dial-up connection from a modem. This is obviously a slow and insecure alternative for data transmission. b) In packet switching, the data bits making up a message are broken up into “packets” of predefined length. Each packet has a header containing the electronic address of the device for which the message is intended. 4) Switches are the networking devices that read the address on each packet and send it along the appropriate path to its destination. a) A convenient analogy is a group of 18-wheelers loaded with new machinery destined for a remote plant site. The trucks leave the machinery vendor’s factory headed to the destination. i) As each truck arrives at a traffic light, it stops while vehicles going in other directions pass through the intersection. ii) As the trucks arrive at the plant site, they are unloaded and the machinery is installed. 5) By allowing message flow from many different organizations to pass through common points, switches spread the cost of the WAN infrastructure. a) Frame relay and ATM (asynchronous transfer mode) are examples of fast packet switched network protocols. d. Routed Networks 1) Routers have more intelligence than hubs, bridges, or switches. a) Routers have tables stored in memory that tell them the most efficient path along which each packet should be sent. b) The analogy is the trucks leaving the machinery vendor’s factory with the same destination. i) As the trucks stop at each intersection, traffic cops redirect them down different routes depending on traffic conditions. ii) As the trucks arrive in unknown sequence at the plant site, they are held until the machinery can be unloaded in the correct order. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 16 SU 13: IT Systems and Business Continuity 2) Routing is what makes the Internet possible. a) Transmission Control Protocol/Internet Protocol (TCP/IP) is the suite of routing protocols that makes it possible to interconnect many thousands of devices from dozens of manufacturers all over the world through the Internet. b) IP addressing (also called dotted decimal addressing) is the heart of Internet routing. It allows any device anywhere in the world to be recognized on the Internet through the use of a standard-format IP address. i) Each of the four decimal-separated elements of the IP address is a numeral between 0 and 255, for example: 128.67.111.25 c) Dynamic host configuration protocol (DHCP) allows tremendous flexibility on the Internet by enabling the constant reuse of IP addresses. i) Routers generally have their IP addresses hardcoded when they are first installed. However, the individual client devices on most organizational networks are assigned an IP address by DHCP from a pool of available addresses every time they boot up. e. Wireless Networks 1) The Wi-Fi family of protocols supports client devices within a radius of about 300 feet around a wireless router. This usable area is called a hotspot. a) Wi-Fi avoids the collisions inherent in Ethernet by constantly searching for the best frequency within its assigned range to use. b) Security was a problem in early incarnations of Wi-Fi. Later versions alleviated some of these concerns with encryption. 2) The Bluetooth standard operates over a much smaller radius than Wi-Fi, about 30 feet. This distance permits the creation of what has come to be called the personal area network or PAN (i.e., a network of devices for a single user). a) Bluetooth is considerably slower than Wi-Fi. 3) The WiMax standard uses microwaves to turn an entire city into a hotspot, reviving the old MAN model. The radius is about 10 miles, and it is generally faster than traditional Wi-Fi. 4) Radio-frequency identification (RFID) technology involves the use of a combined microchip with antenna to store data about a product, pet, vehicle, etc. Common applications include a) Inventory tracking b) Lost pet identification c) Tollbooth collection 5. Voice Communications a. Voice communication channels differ from the data channels connecting the CPU and peripheral equipment. They are the communications media for transmitting voice signals and are classified according to their capacity. 1) An example of a voiceband channel is a telephone line. 2) Internet telephony, known as voice-over IP (VoIP), is any transmission of two-way voice communication that uses the Internet for all or part of its path. This can be performed with (a) traditional telephone devices; (b) desktop computers equipped with a sound card, microphone, and speakers; or (c) terminals dedicated to this function. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 17 b. Voice recognition input devices are still another alternative to keyboard input. These systems compare the speaker’s voice patterns with prerecorded patterns. Advanced systems now have large vocabularies and shorter training periods. They allow for dictation and are not limited to simple commands. c. A voice output device converts digital data into speech using prerecorded sounds. d. A cell phone uses radio waves to transmit voice and data through antennas in a succession of cells or defined geographic areas. e. Personal communications service(s) (PCS) is a cellular technology based on lower- power, higher-frequency radio waves. The cells (i.e., the geographic areas of signal coverage) must be smaller and more numerous, but the phones should be smaller and less expensive and be able to operate where other such devices cannot. f. Voicemail converts spoken messages from analog to digital form, transmits them over a network, and stores them on a disk. Messages are then converted back to analog form when the recipient desires to hear them. Afterward, they may be saved, forwarded, or deleted. g. Conducting an electronic meeting among several parties at remote sites is teleconferencing. It can be accomplished by telephone or electronic mail group communication software. 1) Videoconferencing permits the conferees to see each other on video screens. 2) These practices have grown in recent years as companies have attempted to cut their travel costs. 13.5 SOFTWARE LICENSING 1. Rights Pertaining to Software a. Software is copyrightable, but a substantial amount is in the public domain. Networks of computer users may share such software. 1) Shareware is software made available for a fee (usually with an initial free trial period) by the owners to users through a distributor (or websites or electronic bulletin board services). b. Software piracy is a problem for vendors. Any duplication of the software beyond what is allowed in the software license agreement is illegal. 1) The best way to detect an illegal copy of application software is to compare the serial number on the screen with the vendor’s serial number. 2) Use of unlicensed software increases the risk of introducing computer viruses into the organization. Such software is less likely to have been carefully tested. 3) To avoid legal liability, controls also should be implemented to prevent use of unlicensed software that is not in the public domain. A software licensing agreement permits a user to employ either a specified or an unlimited number of copies of a software product at given locations, at particular machines, or throughout the organization. The agreement may restrict reproduction or resale, and it may provide subsequent customer support and product improvements. 4) Software piracy can expose an organization’s people to both civil and criminal penalties. The Business Software Alliance (BSA) is a worldwide trade group that coordinates software vendors’ efforts to prosecute the illegal duplication of software. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 18 SU 13: IT Systems and Business Continuity c. Diskless workstations increase security by preventing the copying of software to a flash drive from a workstation. This control not only protects the company’s interests in its data and proprietary programs but also guards against theft of licensed third- party software. d. To shorten the installation time for revised software in a network, an organization may implement electronic software distribution (ESD), which is the computer-to-computer installation of software on workstations. Instead of weeks, software distribution can be accomplished in hours or days and can be controlled centrally. Another advantage of ESD is that it permits the tracking of PC program licenses. 13.6 CONTINGENCY PLANNING 1. Overview a. The information security goal of data availability is primarily the responsibility of the IT function. b. Contingency planning is the name commonly given to this activity. 1) Disaster recovery is the process of resuming normal information processing operations after the occurrence of a major interruption. 2) Business continuity is the continuation of business by other means during the period in which computer processing is unavailable or less than normal. c. Plans must be made for two major types of contingencies: those in which the data center is physically available and those in which it is not. 1) Examples of the first type of contingency are (a) power failure, (b) random intrusions such as viruses, and (c) deliberate intrusions such as hacking incidents. The organization’s physical facilities are sound, but immediate action is required to continue normal processing. 2) The second type of contingency is much more serious. It is caused by disasters such as floods, fires, hurricanes, or earthquakes. An occurrence of this type requires an alternate processing facility. 2. Backup and Rotation a. Periodic backup and offsite rotation of computer files is the most basic part of any disaster recovery or business continuity plan. 1) An organization’s data are more valuable than its hardware. Hardware can be replaced for a price, but each organization’s data are unique and indispensable to operations. If it is destroyed, it cannot be replaced. For this reason, periodic backup and rotation are essential. b. A typical backup routine duplicates all data files and application programs once a month. Incremental changes are then backed up and taken to an offsite location once a week. (Application files and data must be backed up because both change.) 1) In case of an interruption of normal processing, the organization’s systems can be restored such that, at most, 7 days of business information is lost. This is not ideal, but it is preferable to a complete loss of files that could bankrupt the organization. c. The offsite location must be temperature- and humidity-controlled and guarded against physical intrusion. Just as important, it must be far enough away from the site of main operations not to be affected by the same natural disaster. Adequate backup is useless if the files are not accessible or have been destroyed. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 19 3. Risk Assessment Steps a. Identify and prioritize the organization’s critical applications. 1) Not all of an organization’s systems are equally important. The firm must decide which vital applications it simply cannot do business without and in what order they should be brought back into operation. b. Determine the minimum recovery time frames and minimum hardware requirements. 1) How long will it take to reinstall each critical application, and what platform is required? If the interruption has been caused by an attack, such as a virus or hacker, how long will it take to isolate the problem and eliminate it from the system? c. Develop a recovery plan. 4. Disaster Recovery Plan (DRP) a. Disaster recovery is the process of regaining access to data (e.g., hardware, software, and records), communications, work areas, and other business processes. b. Thus, a DRP that is established and tested must be developed in connection with the business continuity plan. It should describe IT recovery strategies, including details about procedures, vendors, and systems. 1) Detailed procedures must be updated when systems and businesses change. The following are examples of items addressed by the DRP: a) Data center b) Applications and data needed c) Servers and other hardware d) Communications e) Network connections f) IT infrastructure (e.g., log-on services and software distribution) g) Remote access services h) Process control systems i) File rooms j) Document management systems c. The following are considerations for choosing DRP strategies: 1) The DRP should be based on the business impact analysis. 2) The recovery abilities of critical service providers must be assessed. 3) The recovery of IT components often must be combined to recover a system. 4) Service providers (internal and external) must furnish recovery information, such as their (a) responsibilities, (b) limitations, (c) recovery activities, (d) recovery time and point objectives, and (e) costs. 5) Strategies for components may be developed independently. The objective is the best, most cost-effective solution that (a) allows user access and (b) permits components to work together, regardless of where systems are recovered. 6) Security and compliance standards must be considered. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 20 SU 13: IT Systems and Business Continuity 5. Contingencies with Data Center Available a. The purchase of backup electrical generators protects against power failures. These can be programmed to begin running automatically as soon as a dip in electric current is detected. This practice is widespread in settings such as hospitals where 24-hour availability is crucial. b. Attacks such as viruses and denial-of-service require a completely different response. The system must be brought down “gracefully” to halt the spread of the infection. The IT staff must be well trained in the nature of the latest virus threats to know how to isolate the damage and bring the system back to full operation. 6. Contingencies with Data Center Unavailable a. The most extreme contingency is a disaster that makes the organization’s main facility uninhabitable. To prepare for these cases, organizations contract for alternate processing facilities. b. An alternate processing facility is a physical location maintained by an outside contractor for the purpose of providing processing facilities for customers in case of disaster. 1) The recovery center, like the off-site storage location for backup files, must be far enough away from the main facility that it is not affected by the same natural disaster. Usually, organizations contract for backup facilities in another city. 2) Once processing is no longer possible at the principal site, the backup files are retrieved from the secure storage location and taken to the recovery center. c. Recovery centers take two basic forms. Organizations determine which facility is best by calculating the trade-off between the cost of the contract and the cost of downtime. 1) A hot site is a fully operational processing facility that is immediately available. The organization generally contracts with a service provider. a) For a fee, the service provider agrees to have a hardware platform and communications lines substantially identical to the organization’s ready for use 24 hours a day, 365 days a year. b) This solution is the least risky and most expensive. c) Any contract for a hot site must include a provision for annual testing. i) The service provider agrees to a window of time in which the organization can declare a fake disaster, load its backup files onto the equipment at the hot site, and determine how long it takes to resume normal processing. 2) A warm site is a compromise between a cold and hot site, combining features of both. a) Resources are available at the site but may need to be configured to support the production system. b) Some data may need to be restored. c) Typical recovery time ranges from 2 days to 2 weeks. 3) A cold site is a shell facility with sufficient electrical power, environmental controls, and communications lines to permit the organization to install its own newly acquired equipment. a) On an ongoing basis, this solution is much less expensive. b) However, the time to procure replacement equipment can be weeks or months. Also, emergency procurement from equipment vendors can be very expensive. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com SU 13: IT Systems and Business Continuity 21 7. Other Technologies for Restoration of Processing a. Fault-tolerant computer systems (formerly called fail-soft systems) have additional hardware and software as well as a backup power supply. A fault-tolerant computer has additional chips and disk storage. This technology is used for mission-critical applications that cannot afford to suffer downtime. 1) The technology that permits fault-tolerance is the redundant array of inexpensive (or independent) disks, or RAID. It is a group of multiple hard drives with special software that allows for data delivery along multiple paths. If one drive fails, the other disks can compensate for the loss. b. High-availability computing is used for less-critical applications because it provides for a short recovery time rather than the elimination of recovery time. 8. Business Continuity Management (BCM) Overview a. The objective of BCM is to restore critical processes and to minimize financial and other effects of a disaster or business disruption. b. BCM is the third component of an emergency management program. Its time frame is measured in hours and days if not weeks. The other components are 1) Emergency response, the goal of which is lifesaving, safety, and initial efforts to limit the effects of a disaster to asset damage. Its time frame is measured in hours if not minutes. 2) Crisis management, the focus of which is managing communications and senior management activities. Its time frame is measured in days if not hours. 9. Elements of BCM a. Management Support 1) Management must assign adequate resources to preparing, maintaining, and practicing a business continuity plan. b. Risk Assessment and Mitigation 1) The entity must (a) define credible risk events (threats), (b) assess their effects, and (c) develop risk mitigation strategies. c. Business Impact Analysis 1) This analysis identifies business processes necessary to functioning in a disaster and determines how soon they should be recovered. 2) The organization (a) identifies critical processes, (b) defines the recovery time objective and the recovery point objective for processes and resources, and (c) identifies the other parties (e.g., vendors and other divisions of the organization) and physical resources (e.g., critical equipment and records) needed for recovery. a) A recovery time objective is the duration of time and service level within which a process must be restored. A recovery point objective is the amount of data the organization can afford to lose. b) The cost of a recovery solution ordinarily increases as either objective decreases. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com 22 SU 13: IT Systems and Business Continuity d. Business Recovery and Continuity Strategy 1) A crucial element of business recovery is the existence of a comprehensive and current disaster recovery plan, which addresses the actual steps, people, and resources required to recover a critical business process. (Disaster recovery plans were discussed in greater detail earlier.) 2) The organization plans for a) Alternative staffing (e.g., staff remaining at the site, staff at another site, or staff of another organization), b) Alternative sourcing (e.g., use of nonstandard products and services, use of diverse suppliers, outsourcing to organizations that provide standard services, or reciprocal agreements with competitors), c) Alternative work spaces (e.g., another organization facility, remote access with proper security, or a commercial recovery site), and d) The return to normal operations (e.g., entry of manually processed data, resolution of regulatory and financial exceptions, return of borrowed equipment, and replenishment of products and supplies). e. Awareness, Exercises, and Maintenance 1) Education and awareness (including training exercises) are vital to BCM and execution of the business continuity plan. 2) The BCM capabilities and documentation must be maintained to ensure that they remain effective and aligned with business priorities. Copyright © 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com