PROBLEMS AND ISSUES WITH MIS 1.

Definition
o

A MIS manages the information a business needs to run effectively. While these systems have existed for hundreds of years, the MIS that is referred to in recent times is more indicative of a consistent approach to developing an information framework replete with guidelines, polices, procedures and standards supportive of the company's long-term goals. MIS, as it is defined in the vernacular, typically refers to a strategic information system that, if used effectively, manifests itself as a tool that builds productivity in a way that maximizes profit margins.

New Technology
o

While new technology in and of itself is not a solution, it can provide methods by which to overcome existing performance gaps and to capitalize on new opportunities. Although technology-based, the term "technology" may not necessarily connote a complicated endeavor in a MIS. But it should be noted that, in practice, newer technology is what enables newer versions of these strategic Information Systems (IS). To quote the Organisation of Economic Cooperation and Development (OECD), "the Internet and related advances in information and communication technology (ICT) are transforming economic activity, much as the steam engine, railways and electricity did in the past." ICT is developing at an exponential rate, and while its impact can be seen on the economy at large, the impact of ICT is even more clearly demonstrated in the ways by which the new technology has enabled more sophisticated IS. For instance, think about the impact the typewriter had, the word processor and finally the computer. Huge, right? Today, ICT is growing so exponentially that it has to be considered spherically. New storage devices, such as Apple's Time Capsule or Seagate's FreeAgent External Drive have presented new information storage options for businesses, enabling individuals or smaller businesses to have a secure method of information storage. There are also newer applications for business, such as Google Apps, which change the way information can be gathered, shared and accessed. These newer ICT innovations create both new concerns and new opportunities. First, any technology can fail, at any time, for no reason. This is an issue that has to be accounted for. Also, information can be pirated from electronic devices, so security measures must be in place. While issues such as storage failure and security needed to be considered when everything was handwritten, the way those concerns manifest themselves with the advent of ICT is much different and must be handled in new and improved ways.

Development Problems in MIS

o

In dealing with MIS, several common development issues arise. According to Kalle Lyytinen (reference 1), the first, and most common, is in regard to the goals of the MIS. Frequently, the goals are "ambiguous, too narrow" or "conflicting." These development issues, while common in any goal-setting environment, are of special importance in MIS. Basically, a person must understand the goal presented in order to work toward it. Also, the goal must be broad enough. For example, a goal to improve the efficiency of the production of half-inch purple cogs is probably too narrow, while a goal to improve efficiency of cog production would present a better breadth. Lastly, no one does well when goals are conflicting. An example of this would be "increase profits for this quarter" versus "increase profits for the year". The profits of this quarter may decline because of factors like reinvestment and new opportunities. Trying to meet both goals is difficult, if not impossible. Other issues identified by Lyytinen relevant to the development of MIS include technology, economy, process features, view of organization and self-image. Technology here refers to the impact technology has on information systems, both as a limitation (the system does not have the capability to use an automated information-gathering system) and to its opportunities (the system has the capability of intra-networking, file sharing and collaboration). Economy, in terms of the company, refers to whether the correct goal was identified; whereas process features refer to whether the process by which to achieve that goal will be successful. The view of the organization and self-image have to do with whether the queries "can it be done?", and "can we do really do this?", are answered affirmatively at the company level and at the individual level.

Usage Problems in MIS

o

Lyytinen goes on to identify issues regarding the process of the MIS. She observes that the process is frequently seen as too difficult, slow and/or unreliable. Essentially, the process must be easy to use and understand; otherwise it may prove too difficult for the average person to complete successfully. A good example here would be a set of instructions 50 pages long for a process that should take 15 minutes. Secondly, processes that are slow simply take up too much time. After a while, people will stop using them, if for no other reason than the aggravation that accompanies them. All of these factors can contribute to an unreliable system. Since the information gathered is the purpose of the system, if it provides incorrect information it is useless.

Other process-oriented problems regarding MIS have to do with data, with concepts, with people and with the complexity of the system. Is the data reliable, and is the right data being reviewed? Did the people who set up the IS process fully understand the nature of the product? Is the process chosen for the management of the information system appropriate? The people the company employs need to understand how the MIS is attempting to improve company function, and have to believe that that goal can be achieved through the process instituted. And is the process too complex, and the data it collects not clear enough for accurate measurement?

Effective MIS
o

One of the biggest issues facing MIS, either in its development or its usage, lies in the fact that the systems do not have a concrete definition or a quantitative measure. Without ways to make its use measurable and understandable, how can its success (or lack of success) be gauged? And much of the research into MIS has neglected to look at the myriad of different types and focus on how each would apply. MIS research tends to look at issues in such a narrow way that practical applications to a given business are few if any. Few totally understand the technology being used. Who judges whether the MIS process being implemented is the correct one?

QUALITY ASSURANCE (QA) refers to the systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled.[1] It is the systematic measurement, comparison with a standard, monitoring of processes and an associated feedback loop that confers error prevention.[2] This can be contrasted with quality control, which is focused on process outputs. Two principles included in QA are: "Fit for purpose", the product should be suitable for the intended purpose; and "Right first time", mistakes should be eliminated. QA includes management of the quality of raw materials, assemblies, products and components, services related to production, and management, production and inspection processes.[citation needed] Suitable quality is determined by product users, clients or customers, not by society in general. It is not related to cost and adjectives or descriptors such "high" and "poor" are not applicable. For example, a low priced product may be viewed as having high quality because it is disposable where another may be viewed as having poor quality because it is not disposable. Software quality assurance (SQA) consists of a means of monitoring the software engineering processes and methods used to ensure quality.[citation needed] The methods by which this is accomplished are many and varied, and may include ensuring conformance to one or more standards, such as ISO 9000 or a model such as CMMI.

SQA encompasses the entire software development process, which includes processes such as requirements definition, software design,coding, source code control, code reviews, change management, configuration management, testing, release management, and product integration. SQA is organized into goals, commitments, abilities, activities, measurements, and verifications.[1] Information quality (IQ) is a term to describe the quality of the content of information systems. It is often pragmatically defined as: "The fitness for use of the information provided." Information quality assurance is the process to guarantee confidence that particular information meets some context specific quality requirements. It has been suggested, however, that higher the quality the greater will be the confidence in meeting more general, less specific contexts. "Information quality" is a measure of the value which the information provides to the user of that information. "Quality" is often perceived as subjective and the quality of information can then vary among users and among uses of the information. list of dimensions or elements used in assessing Information Quality is:[3] Intrinsic IQ: Accuracy, Objectivity, Believability, Reputation Contextual IQ: Relevancy, Value-Added, Timeliness, Completeness, Amount of information Representational IQ: Interpretability, Format, Coherence, Compatibility[4] Accessibility IQ: Accessibility, Access security quality metrics

Authority/Verifiability

Authority refers to the expertise or recognized official status of a source. Consider the reputation of the author and publisher. When working with legal or government information, consider whether the source is the official provider of the information. Verifiability refers to the ability of a reader to verify the validity of the information irresepective of how authoritative the source is. To verify the facts is part of the duty of care of the journalistic deontology, as well as, where possible, to provide the sources of information so that they can be verified

Scope of coverage

Scope of coverage refers to the extent to which a source explores a topic. Consider time periods, geography or jurisdiction and coverage of related or narrower topics.

Composition and Organization

Composition and Organization has to do with the ability of the information source to present its particular message in a coherent, logically sequential manner.

Objectivity

Objectivity is the bias or opinion expressed when a writer interprets or analyze facts. Consider the use of persuasive language, the sources presentation of other viewpoints, its reason for providing the information and advertising.

Integrity 1. Adherence to moral and ethical principles; soundness of moral character 2. The state of being whole, entire, or undiminished

Comprehensiveness 1. Of large scope; covering or involving much; inclusive: a comprehensive study. 2. Comprehending mentally; having an extensive mental grasp. 3. Insurance. covering or providing broad protection against loss.

Validity

Validity of some information has to do with the degree of obvious truthfulness which the information caries

Uniqueness

As much as uniqueness of a given piece of information is intuitive in meaning, it also significantly implies not only the originating point of the information but also the manner in which it is presented and thus the perception which it conjures. The essence of any piece of information we process consists to a large extent of those two elements.

Timeliness

Timeliness refers to information that is current at the time of publication. Consider publication, creation and revision dates. Beware of Web site scripting that automatically reflects the current days date on a page.

Reproducibility (utilized primarily when referring to instructive information)

Means that documented methods are capable of being used on the same data set to achieve a consistent result. INFORMATION SECURITY (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) Below are the typical terms you will hear when dealing with information security:

IT Security = Sometimes referred to as computer security, IT Security is information security when applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems. Information Assurance = The act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to; natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise. Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to negative consequences. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics, etc.

Information Security Attributes: or qualities, i.e.,Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organizations. Key concepts The CIA triad (confidentiality, integrity and availability) is one of the core principles of information security. There is continuous debate about extending this classic trio. Other principles such as Accountability have sometimes been proposed for addition it has been pointed out that issues such as Non-Repudiation do not fit well within the three core concepts, and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations. In 1992 and revised in 2002 the OECD's Guidelines for the Security of Information Systems and Network proposed the nine generally accepted principles: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. Building upon those, in 2004 the NIST's Engineering Principles for Information Technology Security proposed 33 principles. From each of these derived guidelines and practices. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds] Integrity In information security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is

violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Authenticity In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be. Non-repudiation In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.

Information Security Controls Organizational Controls Organizational controls are procedures and processes that define how people in the organization should perform their duties. Preventative controls in this category include: Clear roles and responsibilities. These must be clearly defined and documented so that management and staff clearly understand who is responsible for ensuring that an appropriate level of security is implemented for the most important IT assets. Separation of duties and least privileges. When properly implemented, these ensure that people have only enough access to IT systems to effectively perform their job duties and no more. Documented security plans and procedures. These are developed to explain how controls have been implemented and how they are to be maintained. Security training and ongoing awareness campaigns. This is necessary for all members of the organization so that users and members of the IT team understand their responsibilities and how to properly utilize the computing resources while protecting the organization's data. Systems and processes for provisioning and de-provisioning users. These controls are necessary so that new members of the organization are able to become productive quickly, while leaving personnel lose access immediately upon departure. Processes for provisioning

should also include employee transfers from groups within the company where privileges and access change from one level to another. For example, consider government personnel changing jobs and security classifications form Secret to Top Secret, or vice versa. Established processes for granting access to contractors, vendors, partners, and customers. This is often a variation on user provisioning, mentioned previously, but in many cases it is very distinct. Sharing some data with one group of external users while sharing a different collection of data with a different group can be challenging. Legal and regulatory requirements often impact the choices, for example when health or financial data is involved. Detection controls in this category include: Performing continuing risk management programs to assess and control risks to the organization's key assets. Executing recurrent reviews of controls to verify the controls' efficacy. Periodic undertaking of system audits to ensure that systems have not been compromised or misconfigured. Performing background investigations of prospective candidates for employment; you should contemplate implementing additional background investigations for employees when they are being considered for promotions to positions with a significantly higher level of access to the organization's IT assets. Establishing a rotation of duties, which is an effective way to uncover nefarious activities by members of the IT team or users with access to sensitive information. Management controls in this category include: Incident response planning, which provides an organization with the ability to quickly react to and recover from security violations while minimizing their impact and preventing the spread of the incident to other systems. Business continuity planning, which enables an organization to recover from catastrophic events that impact a large fraction of the IT infrastructure. Operational Controls Operational controls define how people in the organization should handle data, software and hardware. They also include environmental and physical protections as described below. Preventative controls in this category include: Protection of computing facilities by physical means such as guards, electronic badges and locks, biometric locks, and fences. Physical protection for end-user systems, including devices such as mobile computer locks and alarms and encryption of files stored on mobile devices. Emergency backup power, which can save sensitive electrical systems from harm during power brownouts and blackouts; they can also ensure that applications and operating systems are shut down gracefully manner to preserve data and transactions. Fire protection systems such as automated fire suppression systems and fire extinguishers, which are essential tools for guarding the organization's key assets. Temperature and humidity control systems that extend the life of sensitive electrical equipment and help to protect the data stored on them. Media access control and disposal procedures to ensure that only authorized personnel have access to sensitive information and that media used for storing such data is rendered unreadable by degaussing or other methods before disposal. Backup systems and provisions for offsite backup storage to facilitate the restoration of lost

or corrupted data. In the event of a catastrophic incident, backup media stored offsite makes it possible to store critical business data on replacement systems. Detection and recovery controls in this category include: Physical security, which shields the organization from attackers attempting to gain access to its premises; examples include sensors, alarms, cameras, and motion detectors. Environmental security, which safeguards the organization from environmental threats such as floods and fires; examples include smoke and fire detectors, alarms, sensors, and flood detectors. Technological Controls Technological controls vary considerably in complexity. They include system architecture design, engineering, hardware, software, and firmware. They are all of the technological components used to build an organization's information systems. Preventative controls in this category include: Authentication. The process of validating the credentials of a person, computer, process, or device. Authentication requires that the person, process, or device making the request provide a credential that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart cards, biometric data, and a combination of user names and passwords. Authorization. The process of granting a person, computer process, or device access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified through authentication. Nonrepudiation. The technique used to ensure that someone performing an action on a computer cannot falsely deny that he or she performed that action. Nonrepudiation provides undeniable proof that a user took a specific action such as transferring money, authorizing a purchase, or sending a message. Access control. The mechanism for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based. Protected communications. These controls use encryption to protect the integrity and confidentiality of information transmitted over networks. Detection and recovery controls in this category include: Audit systems. Make it possible to monitor and track system behavior that deviates from expected norms. They are a fundamental tool for detecting, understanding, and recovering from security breaches. Antivirus programs. Designed to detect and respond to malicious software, such as viruses and worms. Responses may include blocking user access to infected files, cleaning infected files or systems, or informing the user that an infected program was detected. System integrity tools. Make it possible for IT staff to determine whether unauthorized changes have been made to a system. For example, some system integrity tools calculate a checksum for all files present on the system's storage volumes and store the information in a database on a separate computer. Comparisons between a system's current state and its previously-known good configuration can be completed in a reliable and automated fashion

with such a tool. Management controls in this category include: Security administration tools included with many computer operating systems and business applications as well as security oriented hardware and software products. These tools are needed in order to effectively maintain, support, and troubleshoot security features in all of these products. Cryptography, which is the foundation for many other security controls. The secure creation, storage, and distribution of cryptographic keys make possible such technologies as virtual private networks (VPNs), secure user authentication, and encryption of data on various types of storage media. Identification, which supplies the ability to identify unique users and processes. With this capability, systems can include features such as accountability, discretionary access control, role-based access control, and mandatory access control. Protections inherent in the system, which are features designed into the system to provide protection of information processed or stored on that system. Safely reusing objects, supporting no-execute (NX) memory, and process separation all demonstrate system protection features.

ETHICS