27th January 2018
Prepare by Tun Wai Oo
MANAGEMENT INFORMATION SYSTEMS
Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.
1. Critically discuss why organizations are heavily reliant on information systems.
In 21st century, the businesses are investing so much in information systems and technologies to improve the efficiency of the operations to achieve higher profitability, new products, services and business models to describes how a company produces, delivers and sells a product or service to create wealth, to promote the customer and supplier intimacy, to improve the decision making, to achieve competitive advantage and for the survival.
Changes in technology and new, innovative business models have transformed social life and business practices. The five changes including IT innovations, new business models, E-commerce expanding, management changes, Changes in firms and organization are the driven forces of transforming the social life and business practices.
The role of the MIS in an organization is exactly the same as the role of heart in the body. MIS is the heart while the information is the blood. The heart plays an important roleto support pure blood to all the different parts of the body while the heart does the balancing act supplying blood when needed. It maintains and regulates the incoming impure blood, processed it and sends it to the respective place in the volume needed.
When it comes to MIS, it plays exactly the same role in the organization. The system makes sure that a data is suitably collected from the various sources, processed and it and send to the entire needy destination. The system is expected to fulfill the needed information to the individual, a group, the managers and top management.The MIS satisfies the needs variety of systems such as query system, analysis system, modeling system and decision support system.
Information system is a set of interrelated components that collect, process, store and distribute information to enhance control and decision making in an organization. Generally, there are two types of information system; general purpose information system and specialized information system. The generalized database management system (DBMS), a combination of software and data which makes it possible to organize and analyze data and an electronic spreadsheet which is a tool for data analysis based on formulas which define relationships among the data. The specialized information system is designed to carry out very specific analysis tasks. For example, enterprise resource planning (ERP) to integrate the management of all internal and external information across an entire organization and a geographic information system (GIS), to manage and analyze all types of geographical data.
There are four main reasons why organizations are heavily reliant on information systems. The first reason is the communication that allows managers to communicate rapidly.The hierarchies of the business organizations consist of three principal levels; senior management, middle management, and operational management. The production and service workers and data worker work in the operational management while scientists and knowledge workers works in middle management. Data is presented in a user-friendly and timely manner so that the mid and upper-level managers can use it for the right actions. The entire system is designed systematically so that the company can meet its strategic and tactical goals.Gathering and distributing information is a part of management. The information systems can make this process of gathering and distributing information more efficient by allowing managers to communicate each other rapidly. Managers can use information systems efficiently by storing the documents in folders that they share with the employees who need the information. This helps employees collaborate in a systematic way. In addition, the employees in the organization can communicate additional information by making changes that the system tracks. The manager collects and organized the information inputs and sends the newly revised document to his target audience.
The second reason is the operation which allows the organization to operate more efficiently for a cost advantage over competitors and to make different from other company or organizations by offering better customer service. Sales data give the information about what customers are buying and let the business produce items that are selling well.
The third reason is the better decisions by delivering all the needed information and by modeling the results of the decisions. In details, a decision means choosing the action from several options and carrying out the corresponding tasks. The choices can be made with confidence when the information is accurate and up- to –date. If more than one choice looks appealing, the information system to run different scenarios can be used if more than one choice looks appealing. The system can calculate key indicators such as sales, costs and profits to help you determine which alternative gives the most beneficial result.
The fourth reason is thatcompany needs activities record for financial and regulatory purposes in finding the causes of problems and taking corrective action. The information system stores documents and histories, communication records and operational data. The organization or business can use such information to prepare cost estimates and analyze or forecast how the actions affected the key company indicators.
2. Outline the various types of security threats to any information system of an organization.
The internet related telecommunications system and technologies is now penetrating the global market ,using network is now creating different aspects of vulnerability for organizations or companies .These networks can be penetrated in different ways. As the consequence of it, the companies or organizations can face threats which affect information system security. Threats to information system can be from different places; inside and external of an organizations or companies. To secure system and information of the organization, each company or organization should analyze the types of threats that will be faced should be analyzed in a way how the threats affect information system security.
One of the security threats to any information system of an organization is computer viruses named Ran Weber, 1999. The example is worms and Trojan horses. The purpose of computer virus is to enter a computer without the user’s permission and it has the ability to duplicate itself .So it can continue to spread easily. Some virus can be very harmful to program and performance of the system .Virus program cause crashes and data loss .The damages caused by computer virus might be accidental which resulted as the poor programming.
The second security threat to any information system of an organization is unauthorized Access named hacker and cracker. It is common security risks and the danger of unauthorized access to confidential data .It comes from intruders or hackers who use the latest technology by breaking into secure computers or to disable them .A person who gains access to information system for malicious reason is often termed of cracker rather than a hacker. Hackers and crackers get unauthorized access by finding weaknesses in the security protections in Web sites and computer systems and take advantage of the Internet, make it an open system that is easy to use.
The third security threat to any information system of an organization is theft. Theft can be divided into three categories: physical theft, identity theftand data theft. The loss of important hardware, software or data can have significant effects on an organization’s effectiveness.
The third security threat to any information system of an organization is sabotage. The examples of sabotage are; destroying hardware and infrastructure , ,entering incorrect data ,changing data ,deleting software ,planting logic bombs ,deleting data, planting a virus. Damage may be on purpose or accidental and carried out individual or the act of industrial sabotage. Insiders have enough knowledge and provide them with capability to cause maximum interruption to the agency by sabotaging information systems.
The third security threat to any information system of an organization is vandalism. Damage cause to hardware, software and data are considered as a serious threat to information system security. The threat from vandalism causes the organization to be temporarily denied access to someone. Minor damage to parts of a system can have an effect on the organization as a whole.
The fourth security threat to any information system of an organization is human error. Human errors have the greatest impact on information system security than any other threats caused by purposeful attacks .But most accidents that are serious threats to the security of information systems can be mitigated. This is the major threat of all. Accidental misuse or damage will be affected over time by the attitude and disposition of the staff.
In conclusion, threats are the actors which exploit vulnerabilities causing information system security incidents and threatening individuals, organizations or companies. Thus awareness and controls are the best defense which can be used to protect information while maintaining the benefits of information technology.
3. Examine the impacts of ransomware on business organizations
Ransomware is a kind of malware which locks the computer to prevent one from accessing the data until the ransom paid is done. This is usually demanded in Bitcoin. Ransomware not only effects computer, it also targets mobile phones.Government agencies, academic institutions, law enforcement agents, individuals, business have all been affected by ransomware .The user is infectious through a malicious website and email , or the person who attack can directly to the computer if they’ve already infected it.The best example is WannaCryransomware worm that spread rapidly through a number of computer nerworks in May 2017.
After Windows computers are infected, it encrypts files on the hard drive. As a result, the users cannot be able to access the files anymore. And then,theydemands a ransom payment in bitcoin if the user would like to decrypt the files. This incident struck a great number of important and high-profile systems. The first victim was Britain’s National Health Service which was exploited through Windows vulnerability. The first victim, Britain’s National Health Service was discovered by the United States National Security Agency.
Ransomware targets both home users and businesses which lead to negative consequences such astemporary or permanent loss of sensitive information,financial losses incurred to restore systems and filesandpotential harm to an organization’s reputation anddisruption to operations.Paying the ransom does not also guarantee that the encrypted files will be back but it is quite sure that the malicious actors receive the victim’s money, the worst is the victim’s banking information. Moreover, decrypting files does not mean the malware infection cannot be removed easily.In 2016,there were reports about the escalation of ransomware attacks hitting businesses and organisations, especially within Europe.
According to FBI, over $1 billion was lost to ransomware globally. The UK was the biggest target for attackers. Security companynamed Malwarebytes conducted a survey on to what extent the business were affected by ransomware. In that survey, 54% of businesses were affected by some types of ransomware. Within the 54% of businesses infected, 58% paid the ransom, while 28% of those who didn’t pay lost their businesses data.
Downtime plays a large key in why ransomware is so effective. According to the enterprises in UK that have been affected by ransomware, the businesses lost between $5,000 to $ 20,000 a day. The 96% of UK businesses are concerned that their businesses are not prepared for a ransomware attack on their infrastructure.
A Ransomware attack spreads when an ‘unsecure’ file or device is opened on a computer connected to a network. Once the device is connected, the attack spreads quickly through the network with little ability to stop the attack spreading. An example of a ransomware being ‘suppressed’ would be WannaCry. According to a researcher, MalwareTech found the ransomware was connected to an unregistered domain. By purchasing this domain MalwareTech stopped the ransomware from spreading. Even though the ransomware spread was halted, the computers that were affected remained encrypted.
ESET conducted a survey with Small and Medium sized businesses. The survey showed that SMB’s are the organizations most susceptible to ransomware and phishing. Most small to medium-sized businesses do not have a reliable safeguard against these attacks, leaving them prime targets. An attack could leave these businesses with lost data, time and loss in client trust.
There are four impact the companies and the organization might have; the financial cost , downtime costs, data loss and loss of life!
The first impact is the downtime costs. Organizations may be forced to shut down systems to solve the problem of infection. As a result, the targeted organization’s services to the customers may be impacted. As the consequences of it, the company could experience reputational damage and financial losses. In the case of companies which run utilities ,loss of water of power can potentially impact millions of people and may cause accidents leading to injury or even death.
The second impact is financial cost. Companies may have to pay forsecurity-related solutions in response to ransomware and for incident response. There is no denying that if customers are affected, organizations will definitely be hit with enormous legal bills, fines and other penalties. The best example is that US hospitals can be charged up to $1 million if they violate the Health Insurance Portability and Accountability Act (HIPAA) .
The third impact is Data loss. Losing data due to files encrypted or stolen can have a huge impact on businesses. The loss of customers’ personally identifiable information(PII),company records, or intellectual property can impactthe organization’s brand ,finances, and reputation. The cybercriminals behind the attack threaten to publish stolen data online in an attempt to extort more money from the victim. There is still a risk that data may be corrupted in the decryption processeven if a victim pays the ransom and the cybercriminals decrypt the files,.
The fourth impact of ransomware is loss of life. When it comes to the hospitalor other medical organization, patients’ lives may be at risk as the medical equipment may be affected. If the medical history of the patient may not be accessible, there will bedelay treatment or incorrect medication which will lead to the crisis. A ransomware attack can impact company finances, reputation, business continuity, productivity, and even safety at an organization.
4. Prepare a prevention and risk mitigation plan to organizations so that the
Organizations are well prepared to overcome future attacks.
The information system is vulnerable to the potential threads such as the unauthorized access, abuse. These threads can stem from technical, organizational, and environmental factors by poor management decisions. The prevention and risk mitigation plan of the organizations can minimizes to overcome future attacks.
Information systems controls consist of both manual and automated. Consist of general and application controls. General controls govern the design security, and use of computer programs and the security of data in general in the organization’s information technology infrastructure. General control means software controls, physical controls, computer operations controls, data security controls, control over the systems development process and administrative controls. Application controls can be classified as the input controls, processing controls, output controls.
Input controls which check data for accuracy and completeness. Processing controls which establish that data are completed and accurate during updating and output controls ensure the results of computer processing are accurate, complete and properly distributed.
The risk assessment determines the level of risk of an organization the process is not properly controlled. The value of information assets, points of vulnerability, the likely frequency of a problem, and the potential form damage.
The security policy is the statements that ranks risks of information, identifies acceptable security goals and identifies the mechanisms for achieving targeted goals. An acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and computing equipment. Security policy includes provisions for identity management. Identity management consists of business processes and software tools form identifying the valid users of a system and controlling their access to system resources.
Important tools and technologies for safeguarding information resources
1. Identity Management and Authentication
2. Firewalls, Intrusion, Detection Systems, and Antivirus Software
3. Securing Wireless Networks
4. Encryption and Public Key Infrastructure
5. Ensuring System Availability
6. Security Issues for Cloud Computing and
7. The Mobile Digital Platform
8. Ensuring Software Quality
1. Identity Management and Authentication
To gain access to a system, a user must be authorized and authenticated. Authentication refers to the ability to know that a person is who he or she claims to be. Authentication is often established by using passwords known only to authorized users. Biometric authentication, overcome some of these problems. A token is a physical device, similar to an identification card that is designed to prove the identity of a single user. Tokens are small gadgets that typically fit on key rings and display pass codes that change frequently. A smart card is a device about the size of a credit card that contains a chip formatted with access permission and other data.
2. Firewalls, Intrusion, Detection Systems, and Antivirus Software
Firewalls prevent unauthorized users from accessing private networks. Packet filtering examines selected fields in the headers of data packets flowing back and forth between the trusted network and the Internet. Network Address Translation (NAT) can provide another layer of protection when static packet filtering and stateful inspection are employed. Application proxy filtering stops data packets originating outside the organization inspect them, and pass a proxy to the other side of the firewall. Firewalls can deter, but not completely prevent, network penetration by outsiders and should be viewed as one element in an overall security plan.
Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points or “hot spots” of corporate networks to detect and deter intruders continually. The system generates an alarm if it finds a suspicious or anomalous event.
Antivirus software prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware.
3. Securing Wireless Networks
The corporations can improve Wifi security by the new standard of static encryption keys used in WEP have strong security standards
4. Encryption and Public Key Infrastructure
Two methods for encrypting network traffic on the Web are SSL and S-HTTP. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages, whereas SSL and TLS are designed to establish a secure connection between two computers.
5. Ensuring System Availability
Fault-tolerant computer systems contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers use special software routines or self-checking logic built into their circuitry to detect hardware failures and automatically switch to a backup device. Parts from these computers can be removed and repaired without disruption to the computer or downtime. Downtime refers to periods of time in which a system is not operational.
6. Security Issues for Cloud Computing and the Mobile Digital Platform
If mobile devices are performing many of the functions of computers, they need to be secured like desktops and laptops against malware, theft, accidental loss, unauthorized access, and hacking attempts. Mobile devices accessing corporate systems and data require special protection. Firms should develop guidelines stipulating approved mobile platforms and software applications as well as the required software and procedures for remote access of corporate systems. The organization’s mobile security policy should forbid employees from using unsecure, consumer-based applications for transferring and storing corporate documents and files, or sending such documents and files to oneself via e-mail without encryption.
7. Ensuring Software Quality
Use of software metrics and rigorous software testing help improve software quality and reliability.
The prevention must be done to protect against ransomeware.
Email and exploit kits are the one of the infection vectors for ransomware. The adoption of a robust defense against these infection vectors will lessen the risk of infection.
2. Email Security
3. Intrusion Prevention
The intrusion prevention system (IPS) is the technology which can detect and block malicious traffic from exploit kit, and prevent the installation of ransomware.
4. Download Insight
The download Insight technology examines files that are downloaded from web browsers, messaging clients, and other portals. Download Insight can decide if a file is a risk based on reputation.
5. Browser Protection
Browser Protection solution makes the analysis of the web browser’s state and blocks websites from exploits.
6. Exploit Protection
Exploit protection technology can recognize the malicious behavior that are common in exploit attacks and blocks them from executing.