Chapter 12:

Managing System support and security

Learning outcomes:
Describe user support activities

Define the four types of maintenance

Explain seven strategies and techniques for maintenance management

Describe techniques for system performance management

Explain system security concepts and common attacks against the system.

Explain three tasks related to risk management concepts

Assess system security at six levels: physical, security, network security, application security, file security,
user security and procedural security
Describe backup and disaster recovery

List the main factor indicating that a system has reached the end of its useful life

List future challenges and opportunities for IT professionals.

User Support
1, User Training
Can be for new employees / changes to the current system / new system. Main objective is to show
users how the system can help them do their work.
2, Help desks
◦ Also known as service desk – centralized resource staffed by IT professionals who provide users with
the support they need to do their jobs.
◦ 3 main objectives: (1) show people how to use system resources more effectively, (2) provide
answers to technical or operational questions, (3) make users more productive by teaching them
how to meet their own information needs.
◦ Does not replace traditional IT maintenance and support activities – it enhances productivity and
improve utilization of a company’s information resource.
◦ Need strong interpersonal and technical skills, and a solid understanding of the business
◦ Must document all inquiries, support tasks and activity levels. This information helps identify trends
and common problems and help build technical support knowledge base.
◦ Boost productivity by using remote control software, takes over user’s workstation to provide
support
3, Outsourcing Issues
◦ Main reason for outsourcing is cost reduction
◦ If tech support quality goes down the customers shop somewhere else.
◦ Can a company achieve the desired savings without endangering its reputation and customer based?

MAINTENANCE TASKS
◦ Ongoing maintenance costs (for security and support) will determined the economic feasibility of the
system
◦ Operational costs are items such as suppliers, equipment rental and software leases.
◦ Maintenance expenses support maintenance activities which are: changing programs, procedures,
documentation to ensure performance, adapting the system to changing requirements and making the
system operate more effectively.
1. Corrective Maintenance – diagnoses and corrects errors in an operational system.
2. Adaptive Maintenance – adds enhancements to an operational system and makes the system
easier to use.
3. Perfective Maintenance – involves changing an operational system to make it more efficient,
reliable or maintainable. Requested by IT department. May lead to software reengineering-
simply operations, reduce cost, improve quality.
4. Preventive Maintenance – to avoid problems, this maintenance requires analysis of areas
where trouble is likely to occur. Requested by IT Department.
 Maintenance Management
◦ System maintenance requires effective management, quality assurance, and cost control.
1. Maintenance team
1. System Administrator – manages computer and network systems. Work well under pressure, good organisational and
communication skills, able to understand and resolve complex issues in limited time. Responsible for operations, configuration,
and security, routine maintenance, take preventive action to avoid immediate emergencies (such as server crash, network
outage, security incident, etc)
2. System Analyst –skilled detectives who investigate and rapidly locate source of a problem using analysis (means to examine
whole to learn the individual elements) and synthesis skills (involves studying parts to understand the overall).Technical skills and
business operation and function skills. Effective interpersonal and communication skills, creative, energetic, and eager for new
knowledge.
3. Programmers –specific programmers work on specific systems (app for applications)
4. Organizational issues – swopping system analyst between new systems and maintenance of old system, analyst learns more
but increases overheads, loose time to become expert.

2. Maintenance Requests
1. Initial Determination – user submit maintenance request, administrator makes initial determination. If justified, involves the
server and requires immediate attention – take action at once. If justified, noncritical, administrator determines if request can be
performed within preauthorised cost level, then assign maintenance tasks and monitors.
2. System review committee – request exceeds predetermined cost or involves a major configuration, committee approves and
assigns a priority or rejects
3. Task completion – administrator responsible in assigning tasks to individuals or maintenance team. Administrator can rotate
assignments among staff or limit maintenance asks to certain people/teams.
4. User notification – user who start maintenance requests expect prompt responses, including any information or decisions that
involve them.
3. Establishing Priorities
All requests are considered together, most important project gets top priority, whether it is maintenance or new development. Most
important objective is to have a procedure that balances new development and necessary maintenance work to provide the best support
for business requirements and priorities.

4. Configuration Management
Sometimes referred to as change control (CC), is a process for controlling changes in system requirements during software development.
Its important if system has multiple versions, it helps to keep it organised and handle documentation.

5. Maintenance Release
When a maintenance release methodology is used, all noncritical changes are held until they can be implemented at the same time. Each
change is documented and installed as a new version of the system is called maintenance release. Example: V 1.0 to V1.1 (smaller
changes) V1.0 to V2.0 significant change.
Maintenance release is known as a service pack – all fixes and enhancements that have been made available since the last program
version or service pack.

6. Version control
Is the process of tracking system releases or versions. Prior versions are archived and stored. Can roll back to previous version.

7. Baseline
Formal reference point C. 3 types:
Functional baseline – configuration of the system documented at the beginning of the project. It consists of all necessary system
requirements and design constraints.
Allocated baseline – documents the system at the end of the design phase and identifies any changes since the functional baseline. It
includes testing and verification of all system requirements and features.
Product baseline describes the system at the beginning of system operations. Incorporates any changes made since the allocated
baseline and includes the results of performance and acceptance tests for the operational system.
System Performance Management
◦ Companies use complex networks today
◦ When a system uses an integration of clients, servers, network and data located, it is then that the
system determines its capability and performance.
◦ IT department must manage system faults and interruptions, measure performance and workload
and anticipate future needs. They use automated software and CASE tools.
1.Fault management
Every system will experience some problems, so administrator must detect and resolve operational
problems asap. Fault management includes monitoring the system for signs of trouble, logging all
system failures, diagnosing the problem and apply corrective action.
2. Performance and workload measurement
◦ When a network has delays or is stopped completely, it has devastating effect. They are difficult to predict,
detect and prevent.
◦ Measuring performance use benchmark testing (set of standard tests to evaluate system performance and
capacity)
◦ Performance measurements (metrics) can monitor the number of transactions processed in a given time,
the number of records accessed, and volume of online data.

Response Time – overall time between a request for system activity and delivery of the response.
Bandwidth describes the amount of data that the system can transfer in a fixed time, expressed as
bits per second/ kilobit (Kbs)/Megabits (Mbps)/Gigabits (Gbps).
Throughput measures actual system performance under specific circumstances and is affected by
network loads and hardware efficiency. Also expressed as Kilo/Mega/Giga. Like a traffic jam. Graphic-
intensive systems and web-based systems can cause this.
Turnaround time applies to centralized batch processing operations, ex: credit card statement
processing. It measures the time between submitting a request and fulfilling the request.
3,Capacity Planning
It is the process that monitors current activity and performance levels, anticipates future activity and
forecasts the resources needed to provide desired level of service.
What-if analysis varies one or more elements in a model in order to measure the effect on other
elements.
Main objective is to ensure that the system meets all future demands and provides effective support
for business operations.
System security
Security protects the system and keeps it safe, free from danger and reliable.
1. System security concepts
CIA triangle – confidentiality integrity and availability
Confidentiality protects information from unauthorised disclosure and safeguards privacy
Integrity prevents unauthorised users from creating, modifying or deleting information
Availability ensures that authorised users have timely and reliable access to necessary information.
2. Risk management
Approach that involves constant attention to 3 interactive tasks: risk identification, risk assessment and risk control
Risk identification analyses the organisation’s assets, threats and vulnerabilities.
◦ Must first list and classify business assets (hardware/software/network/people/procedure)
◦ Rate impact of an attack and analyse possible threats (internal/external entity that could endanger an asset)
◦ Identify vulnerabilities (security weakness/soft spot) and how it can exploit (attack that takes advantage of
vulnerability
◦ Each vulnerability is rated and assigned a value
◦ Output is list of assets, vulnerabilities and ratings.
Risk assessment measure risk likelihood and impact
◦ Risk is impact of attack multiplied by likelihood of vulnerability being exploited. Ex: Impact of 2, vulnerability of 10
= risk of 20
◦ Critical risks will head the list.
Risk control develops safeguards that reduce risks and their impact.
◦ Avoidance eliminates the risk by adding protective safeguards.
◦ Mitigation reduces impact of risk by careful planning and preparation.
◦ Transference shifts the risk to another asset or party like insurance company
◦ Acceptance means that nothing is done.
Risk management process is iterative
 Security Levels
◦ System security only as strong as weakest link.
1. Physical security -1st level, includes IT resources and people. Usually has its own room in building /centrally
located. All computer on network must be secured (access points).
1. Operations centre security – physical security features, automatic doors that lock. Biometric scanning system which maps
individual’s features. Video cameras, motion sensors for movements/heat.
2. Server and desktop computers – lock physical computer. Keystroke logger is a device that can be inserted between keyboard and
computer (physical cable that records all keys pressed). Tamper-evident cases is designed to show any attempt to open/unlock the
case. Monitor screen savers – need a password to view screen content. BIOS-Level password (boot-level/power on)must enter before
computer starts. Uninterruptible power supply (UPS) that includes battery backup with suitable capacity.
3. Portable computers – things to consider: OS with passwords and firewalls, put name on computer case, use biometric or facial
recognition devices, lock pc with cable lock, back up data if travelling outside company, install a locator app to find if lost/stolen,
warn others and use complex passwords.
2, Network security
4. Encrypting network traffic – unencrypted/plain text password is transmitted over network it can be stolen. If encrypted, it is visible but
its connect and purpose are masked. Private key is symmetric, use the same key to lock and unlock. Public key is asymmetric, each
person has a set of key to lock and unlock.
5. Wireless network – wireless is more vulnerable than wired. Wired Equivalent Privacy (WEP) needed a special pre-shaped key. It was
replaced with Wi-Fi Protected Access (WPA), offers major security improvements based on protocols created by Wi-Fi Alliance. WPA2
upgrade and is now mandatory for all new devices seeking Wi-Fi certification.
6. Private Network – dedicated connection, similar to leased telephone line. Each computer on the network has its own interface to
network and doesn’t connect to interface outside network. It’s not visible and cannot be intercepted from outside.
7. Virtual Private network- uses a public network such as Internet to connect remote users securely.
8. Ports and services – PORT which is identified by a number, is used to route incoming traffic to the correct application. SERVICE is an
application that monitors /listens on a particular port.
6, Firewall is the main line of defence between a local network or intranet and the Internet.

7, Network Intrusion Detection (NIDS) is like a burglar alarm that goes off when it detects suspicious network
traffic patterns.
3. Application Security
1, Services – is an application that monitors, listens on a particular port.
2. Hardening- process makes a system more secure by removing unnecessary accounts, services, and
features. (antivirus and antispyware)
3. Application Permissions / user rights /permission – allow certain users access
4. Input validation – making sure abc is there and not 123
5. Patches and updates – patches are used to repair these holes, reduce vulnerability and update the
system. This is time consuming, so prefer automatic update services that allows the application to conduct
vendor server and check for needed patches or updates.
6, Software log –that documents all events, including dates, times and other information.

4. File Security
1. Encryption – scrambles the content of a file or document to protect it from unauthorised access.
2. Permission – describe the rights a user has to a particular file or directory on a server.
3. User group – individuals that collaborate and share files would request higher level permission to
enable them to change file content. Easier to create group and assign rights to that group.
5. User security involves the identification of system users and consideration of user-related
security issues.

1. Identity management refers to controls and procedures necessary to identify legitimate users and
system components.
2. Password protection policy states password requires a minimum length, complexity and limit on
invalid login attempts.
3. Social engineering – a intruder uses social interaction to gain access to a computer system.
4. User resistance – tight security measures can cause inconvenience and time consuming.
5. New technologies enhance security and prevent unauthorised access.
6. Procedural Security /operational security is concerned with managerial policies and controls that
ensure secure operations. Shed paper, keep people on a need to know basis, etc.
Backup and recovery
Backup refers to copying data at prescribed intervals, or continuously.
Recovery involves restoring the data and restarting the system after an interruption.
Disaster recovery plan –backup and recovery that prepares for a potential disaster
1. Global Terrorism- caused more focus on backup and recovery plans
2. Backup policies – policy contains detailed instructions and procedures.
1. Backup Media includes tape, hard drives, optical storage and online storage.
2. Offsiting refers to the practice of storing backup away from main location, to mitigate the risk
3. Backup types
1. Full is a complete backup of every file on the system.
2. Differential, faster because it backup only files that are new or changed since last full backup.
3. Incremental, only includes recent files that never have been backed up by any method.
4. Continuous which is real-time streaming method that records all system activity as it occurs.
4. Retention Periods– backups are stored for a specific retention period after which they are either destroyed or reused. Can be
months/years.

3, Business Continuity Issues

◦ Test plan which can simulate various levels of emergencies and record the responses, which is analyzed and improved.
◦ The main aim of disaster recovery plan is to retore business operations to pre-disaster levels. Forms part of continuity
plan.
◦ Hot site is an alternative location where data can be replicated (mirrored)
◦ Very expensive
System Retirement
◦ System do have expiration dates and it should never come as a surprise. There are several reasons
to end but the main point is that it has reached the end of its economically useful life.
◦ Only the very essential maintenance is required for it to operate, otherwise it is coming to the end of
its life.
◦ The user satisfaction determines a life span of a system.
 Future Challenges and Opportunities
◦ Change is constant, it will never stop, and it happens so fast.
◦ Best to do is plan for it and be proactive and not reactive.
◦ So this plan is crucial, it must consider:
◦ Trends and Predictions
◦ Cybercrime
◦ Smartphones and tablets
◦ Software as a Service (SaaS)
◦ Cloud computing
◦ Insourcing
Security and privacy concerns become greater issues
◦ Strategic Planning for IT Professionals
◦ Start planning your goals and use a Gantt chart to measure your milestones
◦ IT Credentials and Certification
◦ Certification means special hardware and software skill that can be measured with an exam.
◦ It’s a lifelong learning, degrees are short term
◦ Critical Thinking Skills
◦ Soft skills (communication, interpersonal and perceptive abilities) and critical thinking skills are needed .
◦ University is teaching you to be able to learn by yourself because in industry, there are various software products, the test is to see if you can
figure it out yourself.
◦ Critical skills are location of data, identify important facts, apply your knowledge to real world decisions
◦ Cyberethics
◦ How much of your integrity and morals will you give away to progress in your career or willing to give in if someone asks you to do it?
 Conclusion

User support activities are identified and explained.

The four types of maintenance are identified

Seven strategies and techniques for maintenance management is identified and explained

Techniques for system performance management is described

System security concepts and common attacks against the system is identified

The three tasks related to risk management concepts are explained

System security at six levels: physical, security, network security, application security, file security,
user security and procedural security is explained
Backup and disaster recovery is described

The main factor indicating that a system has reached the end of its useful life is identified

Future challenges and opportunities for IT professionals is explained