You are here

Summary

8 September, 2015 - 16:42

It seems odd to write a chapter summary when all of the sections in this chapter constitute summaries of concepts and issues commonly presented in much greater depth. However, that is the nature of a textbook and it is appropriate that we reemphasize those details that are most salient to future managers concerned with the avoidance of information systems failures.

As indicated in the introduction, perhaps the most important point to takeaway from this chapter is that organizational management should be involved assessing the consequences of systems failures and deciding an appropriate level of investment to minimize the potential failures. As with many management prescriptions, the advice is far easier to understand than to execute.

The chapter began with an introduction of some important IT terms: IT business applications and IT infrastructure. These terms provide a useful way of thinking about how information systems are constituted within an organization and a language for communicating with IT professionals. The IT Infrastructure Library (ITIL) was briefly described to introduce the concepts of service level requirements in service level agreements. Service level agreements, when properly negotiated provide a solid foundation for planning and implementing appropriate IT solutions that are effectively aligned with the organization's needs. Thus the negotiation of a level agreement provides a means for understanding and documenting the organization's tolerance for system failure.

The chapter then explores the nature of information system failure. Information systems are unique among organizational assets in the variety of possible failure modes. Failure may occur where the confidentiality of information stored within a system is breached, irrespective of whether the system is physically damaged or information destroyed. Additionally, organizations must be concerned with the integrity or accuracy of its information as well as ensuring that the information or IT enabled services remain available to meet its operational needs.

The chapter introduces risk management as a disciplined means for organizations to identify their information system assets, the vulnerabilities associated with those assets, and potential threats (the means that exploit vulnerabilities). Various qualitative and quantitative methods can be used to analyze these data in order to determine the selection and implementation of countermeasures appropriate for organizational needs. A more detailed discussion of risk and the risk assessment process is provided elsewhere in the book. While organization management may rely on IT and security professionals for information regarding relevant vulnerabilities, threats and countermeasures, the identification, valuation of assets and the determination of consequences in the event of system failure, most appropriately lies on their shoulders.

After presenting these foundational concepts, the bulk of the briefly introduces organizational activities associated with mitigating risks. Risk mitigation efforts are broadly categorized as following within two categories: management controls and operational controls. Management controls include:

  • Establishing appropriate information assurance policies, procedures, standards and education,
  • Incorporating risk management concerns into the organization's information system planning and design processes, and
  • Establishing of formal change and configuration management processes.

Operational controls include:

  • Establishing information system monitoring and incident response capabilities,
  • Performing system backups, and
  • Planning for disaster recovery and business continuity.

Selected technical controls, representing additional IT infrastructure investments, were briefly described as well.

In closing, we note that managers, at least within larger organizations, will rely on IT and security professionals to assist in the analysis of risk and the design and implementation of countermeasures. However, non-IT managers, particularly those working at executive levels, need a basic understanding of the concepts presented in this chapter to ensure that their organizations are properly protected. Depending on the organization's specific circumstances, there may be strong financial, legal and moral obligations to avoid information systems failures.