Ethics is a branch of philosophy that deals with what is considered right and wrong in society. It deals with issues which are not in the realm of legal or statutory domains but which may be considered conventionally right or wrong as per perception of the society of that time.

Slavery was at a certain point in time, legal in United States and then with the passing of legislation later during Abraham Lincoln’s Presidency was deemed illegal. The issue is that even when slavery was legal, it was considered as unethical by some as society considered it as something wrong even when it was legal. Therefore, we can say that ethics is a far greater concept than legality. It has something to do with the basic idea of right and wrong that becomes ingrained in us from childhood. Therefore, if you do a good job and your boss steals all the credit for your work then it becomes unethical behavior on his part but it may not be illegal. An issue becomes ethical in nature when it transgresses any basic norm of human existence.

The issue of ethics in the information age has acquired a different dimension altogether. With more access to information, greater connectivity and anonymity new ethical issues are coming to the fore every day. Some major ethical issues hover around the following questions:

1. How much information about an individual is private and how much that is private which cannot be captured or disclosed?
2. What information can be kept by organizations dealing with individuals?
3. How much right does an individual have over his/her own information?
4. Who can access and who cannot access information?

Most cases of ethical violation in the information society occur due to disclosure of private information. This brings us to the interesting topic of privacy. Let us delve into the issue a little deeper. Is information about a suspected terrorist private or the act that he commits private? Probably not on the other hand if we are asked if information about a dowry victim is private, we will all probably agree that it is. Thus, we see that privacy assumes different degree of severity. In the first case, one can argue that if information about a suspected terrorist is not made public, then the terrorist will not get caught, and will cause more destruction. Thus, the well-being of a majority is at stake if the privacy of information of the terrorist is to be considered. Hence, it may be argued by some that disclosure of such private information as how he looks and what his height is may be considered fine but the same cannot be said for the latter case about the dowry victim. Thus, we see that ethics, privacy and other such related issues have to be considered carefully.

However, the following may be considered ethical issues in information society:

1. Disclosing another individual’s personal details to others. This is a serious ethical issue. Sometimes when the disclosure is of a very private nature this can even become a legal issue.
2. Cyber stalking is when an individual is always stalked in cyberspace resulting in violation of an individual’s privacy and creating a fear in the mind of the stalked. This on a small scale is an ethical issue but may become a legal issue if the stalking becomes serious.
3. Disclosure of trusted content is also another ethical issue. If an individual is in the possession of some trusted content and he shares it with others then that becomes an ethical issue.
4. Distribution of pornographic material with open access is another ethical issue and needs to be controlled.
5. Plagiarism is becoming very rampant as content in soft form can just be copied and pasted from other files and claimed as one’s own. On a small scale this is an ethical issue but when the plagiarism is intentional and on a large scale then this becomes a violation of copyright which is a legal issue.
6. Sending SPAM is also another ethical issue which creates a lot of problems for ordinary users of information systems

Ethics in information society is a very delicate issue and changes with time. At one point of time, stealing of password was an ethical issue. Today it is a crime and has become a legal issue. Such changes in legal and ethical points of view occur with change in legislation and with changes in the norms of society.

The concept of quality has changed over time. The awareness about quality started in the early half of the twentieth century but back then quality was considered more of a technical issue and the onus of quality was vested in a department, which was called quality control department. As the name of the department suggests; quality was a control issue, and hence statistical quality control techniques were developed to keep a ‘control’ over the quality. However, with time and with Japanese influence, this concept has changed.

Now, quality ownership is not vested with one department only but with the entire organization. Everybody in the organization is now quality conscious and quality has become more of a managerial and cultural issue rather than being just a narrow technical one. This transformation of the narrow concept of quality management over time into an all-encompassing broad concept of quality in everything and for everyone has been brought about by the concept of total quality management. In short, total quality management means quality for everyone, in everything and by everybody in the entire organization. It is a much broader concept and views quality more as a management issue than a technical one.

Most importantly, TQM is a continuous process and must be viewed as a process of perpetual improvement to improve the quality of about anything in the organization. It focuses on getting things done right in the first attempt and is more of a philosophy of working (attitude towards working), than anything else. The concept is not new and has been in use in Japanese companies from the mid 1950s, but has gained acceptance in the West from 1980s onwards. TQM has some principles that if adhered to in designing management strategies and processes will result in total quality within the organization.

The Principles of TQM

The principles of TQM are as follows:

1. Quality can be managed and requires management will to be managed. Itis an extremely important ingredient of successful management.
2. Everyone in an organization has a customer.
3. People are not the main problem for quality but processes are.
4. Everyone is responsible for quality. The ownership of quality is vested in each employee.
5. Problems must be anticipated and with proactive decisions, prevented not merely solved.
6. Quality must be measured in understandable terms (preferably in quantitative terms).
7. Improvements in quality are itself a continuous process and must not be viewed as frozen in time.
8. Zero defects or six sigma should be the quality standard.
9. Goals once defined on the basis of known requirements are not negotiable.
10. One must always measure lifetime costs instead of upfront costs.
11. Management must be completely involved with quality management and should lead the effort. There should be complete buy in at the top management level.
12. Quality management initiative must be a planned and organized effort.

Six Sigma

Six Sigma is a method used for measuring, improving and controlling process performance. A methodology, which improves customer satisfaction significantly, by reduction of variation in the processes.

‘Six Sigma is not something else that you do … it is what you do.’

What is six sigma?

1. It is a philosophy which results in operational excellence.
2. It reduces variation in processes and operations.
3. A statistical measure of a process capability – 3.4 defects per million opportunity _ 99.99966 per cent probability of passing non-defective products to customer.

Benefits of six sigma

1. Increased customer satisfaction
2. Reduced defects
3. Increased productivity
4. Better and consistent processes

Six Sigma Methodologies

For Existing Processes (DMAIC):

For new design and new processes (DMADV/DFSS):

Organizations implementing six sigma

Six sigma has been successfully implemented by manufacturing organizations like GE, AT&T, Motorola, Honeywell, etc., service organizations like American Express, IBM, Accenture, Microsoft, J.P. Morgan Chase, to name a few.

Six sigma approach

Y=f(X)

Where, Y = Output or Effect

X = Input or Cause

DMAIC model

Define phase

The define phase focuses on customer feedback or VOC (voice of customer). It is important to understand who the customer is and then understand the customer requirements. There are tools like interview, survey, focus group, etc., used to collect customer requirements. Once the VOC is obtained, it is translated into a measurable metric called the CTQ (critical to quality). A CTQ should be SMART (Simple, Measurable, Attainable, Relevant and Time bound).

The next step in define phase is to create the six sigma project charter. This is similar to a project plan and has six mandatory sections:

1. Business case
2. Problem statement
3. Goal statement
4. Scope
5. Timelines or milestones
6. Team/resources

Any six sigma initiative consists of customer, sponsor (who finances the project), project champion (the subject matter expert), six sigma team (master black belt, black belt, green belt) and team members (who help in the project).

The last deliverable in define phase is creation of a high-level process map or IPOC.

SIPOC =Supplier – Input – Process – Output – Customer GE uses COPIS:

COPIS = Customer – Output – Process – Input – Supplier

Measure phase

The following activities are undertaken as part of measure phase:

1. Defining performance standards – consists of the target and the specification limits (operating range on the target)
2. Data collection – data is collected for all potential causes
3. Data analysis
4. Measurement system analysis – no process can be completely variation free. In the measure phase, we call this the measurement system analysis. In a six sigma project before we start analyzing data, we have to ensure that the measurement system does not contribute errors of its own due to person measuring, or the measuring instrument or the sample that is getting measured
5. Process capability – it is the measure of the current state of the process

Analyze phase

The following activities are undertaken as part of analyze phase:

1. Basic data analysis on Y
2. Identifying all potential causes, which are called ‘Trivial Many X’s’
3. Finding out the root causes or ‘Vital Few Causes’ – tools such as fish bone diagram, Pareto analysis, cause and effect matrix, etc., are used to separate the vital few from the trivial many
4. Validation of root causes

Improve phase

After the previous phases, we have a set of validated X’s. The deliverables in improve phase are:

1. Design solutions – when X’s are isolated and independent, tools such as brainstorming, lateral thinking and TRIZ are used to design solutions. When X’s are interdependent, DOE (design of experiments) is a method used for conducting controlled experiments of how a process performs under differing conditions of variables
2. Risk assessment – failure mode and effects analysis (FMEA) evaluates the different ways an input to a process step can fail and tries to understand the cause of that failure
3. Solution Implementation
4. Solution validation – used to measure the success of the process. Cost benefit analysis is used for the same.

Control phase

Control phase attempts to find out the stability of the process and ensures sustainability. Every completed six sigma project should have not only a control chart but also a control plan. This ensures that the process does not revert to the way it previously operated.

What is an Incident?

An incident in the parlance of information security is a security breach or even an attempt to breach security. An unsuccessful attempt to crack the security system is also an incident and needs to be investigated thoroughly.

Incident Response Process

Whenever an incident takes place, a series of steps needs to be taken to find out the causes of the incident to ensure that such incidents do not occur in future. The incident response process involves the following steps:

1. Incident identification – it is the first step of incident response in which the incident is identified. Some common incidents may be DoS, port scanning, IP sniffing, social engineering, banner capture, unauthorized access or virus infection.
2. Incident classification – it is the next step in which the incident is classified based on its severity. Every organization must maintain an incident classification chart to rate an incident when it occurs based on its criticality.
3. Incident notification – it is the notification given to specific functionaries about the incident.
4. Incident response and containment – it is the action taken to thwart the incident.
5. Incident recovery – it is the recovery activity to restore system to the previous status.
6. Post mortem – this is the post incident investigation to find out the vulnerabilities in the system that allowed the incident to happen.

Some Attack Techniques and Technologies

Some of the attack tools and techniques are:

1. IP spoofing is a the techniques of using forged 12 digit IP address (source) in the IP packets that are used in TCPIIP protocol for data communication (primarily on the Internet or on any other TCP/IP network) for concealing the identity of the sender or impersonating another computing system.
2. Packet sniffing is a technique or a program to troubleshoot network traffic. However, often it is used by hackers to get information about the source and destination of IP packets on a TCP/IP network. When on a TCP/IP network like Internet, data is broken down into small packets that are transmitted over the network and gather together at the destination, reassembled and displayed/stored etc. these packets have stamps of destination and source on them so that they are not lost. Packet sniffing is the technique of that can capture these floating packets on the TCP/IP network like a wiretap and find out what is being sent to or from a source or destination.

we are going to discuss about the threats and vulnerabilities of information systems from both insiders and outsiders and the ways of managing such threats and vulnerabilities.

Information Security Attacks from Insiders

It is now an acknowledged fact within the information security community that insiders(people with access to information systems of organizations) within the organization represents one of the biggest2 (estimates vary from half- to three-fourths of all security incidents) information security threats (Dillon 1999, Whitman 2003). Considering that a large number of such incidents go undetected (Hoffer and Straub 1989) it is most likely that these numbers are actually much higher. Specialists therefore prescribe a cocktail of measures to prevent security incidents. These measures fall under two broad categories:

1. Procedural or business control measures-those that define access and other security policies, usage guidelines, security education, training and awareness (SETA) programs.
2. Technical measures-includes authentication measures, monitoring techniques, tools and filtering mechanisms.

Types of Information Security Attacks from Outsiders

Information security attacks can be of various types. Modern attacks and techniques are difficult to detect and stop as it requires continuous monitoring of the system. Perimeter security is therefore of vital importance as the objective of a security system is to halt an attacker from gaining access into the system. The following are the major forms of attack:

Hacking

It is the activity of getting into a computer system without authorization to have an access for a look around and see what is possible to do in the system. Hackers are mainly of three different types.

1. Ethical hackers: Ethical hacking and hacking etiquette demands that the hacker after having penetrated the system notifies the system administrator of his entry to let him know about the vulnerability of the system. This kind of hacking actually helps the organization to improve its security apparatus.
2. Crackers: These are malicious hackers. Once they get inside a system, they destroy valuable assets. Their objective is to cause as much damage to the system as possible. These attacks are to be feared as they have the potential to cause large-scale damage to the organization’s information assets.
3. Phreaks: These are people who hack into the phone systems of organizations so that they can then make calls at the expense of the organization. Each hacking incident however, may be different from the other as each hacker in each incident tries a different trick to exploit a different vulnerability of a system. Since nowadays most systems are connected to the Internet, most hacking incidents occur from net-based hackers who gain access into the organizations computer systems and then cause damage to the system. Most hacking incidents follow a typical pattern or method, which are:

Reconnaissance-The hacker before embarking on a full-scale attack tries to find out the counter measures that are protecting a system. He tests the waters before jumping into the action. In this stage, he typically tries to gather information about the system (and/or network), its vulnerabilities, critical information stored in the system, key employee information, public information about the system and the organization, information about customers of the organization. This is passive reconnaissance. After this stage, the hacker moves on to active reconnaissance in which he acquires DNS information, IP addresses, performs ping sweeps, SNMP network scans and other attacks like banner grabbing, etc.

Vulnerability canning-After the reconnaissance stage, the hacker moves to the scanning stage in which he looks for vulnerabilities in the perimeter security of the system. He also scans the routers and firewalls of the organization to check for vulnerabilities.

Securing/getting access-After the scanning stage, he moves to the stage of gaining access, here he accesses the organization’s system after capitalizing on any vulnerability in the organization’s security system. This can happen through the operating system of the organization’s server or networked computer, an application (either planted within the system or suitable file corrupted/modified by the hacker to work on his commands), or through any network devices in the organization’s network.

Maintaining access-After getting access to the organization’s system, the hacker would normally like to continue to maintain access. This he manages by planting a custom-built application on the already compromised server of the organization. This strategy helps the hacker to enter and exit the system at will. Thus, the hacker can have complete control over the organization’s system. He can upload applications, modify applications, modify data without anyone’s knowledge, steal data and cause widespread damage to the system. At this stage, the hacker evaluates the information assets of the organization and based on his intentions goes ahead with a plan to profit from his efforts. He can wish to just maintain access without causing any damage, steal information and sell it outside, profit from altering the data of the organization or simply blackmail the organization•

Covering tracks-Once the hacker has enabled his access into the organization’s system, he would like to remove any trace of his entry and exit from the system. This he manages by suitably deleting the evidence of his access from the audit files and log files. Thus, the system administrators remain oblivious to the access of the hacker.

Denial of service (DoS)

This is another form-security attack in which the attacker overwhelms the organization’s server (or other hardware resources) or the telecommunication lines from the ISP. Normally, DoS attacks are one-to-one meaning that the attackers launches an attack from his machine and attacks one organization with the objective of overwhelming its resources (hardware or telecom) thereby denying the system’s services to legitimate users. Since February 2000 the trend for such attacks has changed. Now attackers use a many-to-one mode of attack for DoS. This is known as distributed denial of service (DDoS). The attacker creates zombies (these are compromised machines on the Internet that run application codes which are controlled by the attacker). At his instructions DoS attacks are launched simultaneously on a single target from all the zombies (sometimes as many as tens of thousands). The only way to control DDoS attacks is to control the number of zombies on the network. It is one of the most difficult forms of attack against which an organization is to be secured.

Malicious code

“This is another form of security threat, being pieces of code that reach vital areas of a system and renders great damage to it. The easiest form of distributing malicious codes is through e-mails. It is therefore a good idea to check the attachment files in e-mails before opening them. There are many different types of malicious code:

1. Virus: This is the most common type of malicious code. Viruses are also of various types. File viruses are viruses that infect files of a system and then keep on multiplying themselves whenever a user opens a file or access a file and therefore spread to all parts of a system and damage all files in a system. Such file viruses are the most common form of virus applications. Most file viruses are executable files. Other types of viruses attack the master boot record of the operating system thereby rendering the as useless. Some viruses are application specific like macro viruses that affect office applications.
2. Worm: A form of malicious code that affects networks. They have the capability to replicate themselves over a network and spreads very quickly from one machine to another in a network. Several highly publicized attacks have been reported.
3. Trojan: It is a stealth version of a malicious code. It seems like a good and trustworthy code on the surface but is actually a malicious code in reality? The easiest way to stop Trojans is to stop opening untrustworthy attachments and stop downloading and running freeware.
4. Logic bomb: This type of malicious code waits in a system for a trigger, like a particular date and time, to unleash damage. The code waits patiently and does not act malevolently until a particular data and time and after that due date and time, it would work in a malevolent manner by damaging the system and data.

Social engineering

This is another way of attacking a system. Social engineering is a set of techniques used to trick gullible users into parting with their critical information like username and password. The social engineering attacker uses the following human attributes to get access to critical data:

1. Most people trust others unless they are found untrustworthy. The attacker exploits this trait of human nature. For example, simple calls made ostensibly on behalf of a trustworthy organization like a bank would make us divulge a lot of critical information about our bank accounts.
2. The fear of getting into trouble is also another human trait that the attacker exploits. For example, a simple mail requesting you to give your password for better maintenance of your bank account may actually cause fear in your mind that if you do not divulge your password, maintenance will not be proper and hence some indeed do give away their password.
3. Preference for short cuts is another human trait that attackers exploit. Most people give passwords as nicknames or birth dates or name of their pets which can be easily cracked.

Thus, we can see that a skilled social engineer may be able to get critical data that will enable him to access the system without much trouble. Thus, this type of attack is a very serious threat that all must be careful about.

Some Top Hacking Incidents of All Time

1990s

Kevin Mitnick, a well known hacker, hacked into computer networks and systems of top telecom companies like Nokia, Fujitsu, Motorola, and Sun Microsystems. The incident caused a huge stir in the security establishment and Mitnick was arrested by the FBI in 1995, but later released on parole in 2000.

1995

A Russian hacker Vladimir Levin was the first hacker to hack into a bank to rob money. In early 1995, he hacked into a top US bank which had a very secure VAX VMS based system and robbed an estimated $10 million USD. He was later arrested.

1990

In 1990 a radio station in Los Angeles started a contest that awarded a Porsche for the 102nd caller. Kevin Paulson, a hacker took control of the entire city’s telephone network, and ensured that he is the 102nd caller, so that he get the prize. He was later arrested.

1996

Timothy Lloyd wrote a small piece of malicious software code that allowed a “logic bomb” to explode which deleted software worth $10 million USD.

1988

Robert Morris a Cornell University graduate launched a worm on the Internet that infected machines world wide and crashed thousands of machines.

1999

David Smith wrote and launched one of the most dreaded virus, Melissa that damaged machines worldwide.

2000

Mafia Boy hacked into the most popular sites on the Internet world, like eBay, Amazon and Yahoo and managed to engineer a Denial of Service attack.

The ISO/IEC 27001 definition of information defines information as an ‘asset’. Therefore, information is something that has value and requires to be protected against theft or destruction. In order to protect information from theft or destruction, all counter measures that are taken come under the purview of Information security measures. Information security is therefore defined as all steps taken by the organization to protect its information and information systems. The steps may be technical or managerial in nature and may involve automation or manual controls.

At the core of the concept of information security lies the concept of 4R which are

1. Right information-means that information has to be accurate and complete
2. Right people-means that information is available to the people who are authorized to receive it.
3. Right time-means information must be available to the authorized individual on demand.
4. Right format/form-means that information must be given in a format that makes some meaning. It has to be given in a format that makes decision-making easier.

If information has to be protected, the 4Rs must be applied properly, information and its value must be well understood and the threats to it must be analyzed in detail. Only then, can counter measures be taken to ensure that there is no deviation from the principles of the 4R, i.e., information confidentiality is maintained, information integrity is guaranteed, availability to authorized personnel is ensured on demand and the integrity of the formats of information storage and delivery are not tampered with.

However, there are risks to information assets. While some risks may be eliminated, some risks can only be minimized. Such risks are to be managed properly to ensure smooth functioning of the information infrastructure. From a security perspective, risks are potential issues and have to be understood carefully in order to come up with security counter measures that would minimize or eliminate the risk.

Risk may be defined by the formula as:

Risk =ƒ (Information asset value, threats, vulnerabilities)

As one can see, risk to an information system can be defined as a function of the asset value of the information, the threat to the information and its vulnerabilities. Risk can therefore be managed if we are able to manage the asset value, the threat to it and its vulnerabilities.

The risk management alternatives therefore are:

1. Risk reduction.
2. Risk acceptance.
3. Risk transference.
4. Risk avoidance.

Planning is the key to success in developing a good IS. IS planning brings to focus the reason for existence of the IS and helps the developers to undertake the task of development of IS in a structured manner. Organizations undertake planning for IS for several reasons. Typically IS, plans have a hierarchy with different levels of management handling different plans.

Strategic Information Systems Planning

This is the first plan of information systems within an organization. It is foremost for defining the role information systems will play in the overall scheme of things. Typically, top management formulates a charter for information systems or the CIO formulates the charter and gets approval of the top management. With the charter, the mission of information system in the organization is also formulated. Thereafter the constraints and environment in which IS is to be implemented is analyzed. In this, the strategic objectives, policies, human resource, maturity of IS usage of the organization and the present and future information needs of the organization in view of changes in technology is analyzed. Following the broad mission and analysis of environment and constraints, concrete objectives of information systems is laid down along with the plan of achieving the objectives. The plan will include broad guidelines on allocation of resources, mechanisms of control of the process of information system development and other guidelines for implementing the strategies of the plan.

Long Range Information System Planning

This is the second stage of planning done primarily to understand the user needs and objectives. This sort of plan does not go into project specific details but rather focuses on the expectations of users from the system. Typically, this kind of planning is done with a time horizon of five to ten years in mind. Broad characteristics of information systems based on the needs of the users are dealt with in this plan along with the technology trends in the information technology space and long-term objectives of the organization. The long-term plan requires greater detailing than a strategic plan and is normally prepared by senior executives in the organization which is then approved by the top management. Ideally, senior executives from different departments are involved in this process. The following step-wise course of action is normally taken to prepare a long-range information systems plan:

Collecting background data

All kinds of data that helps in creating a background or perspective for the planning with regard to the technology scenario, organization objectives, changing needs of the users, competition scenario, potential set of information services in future, availability of resources in future, suitability of organizational culture, etc., is collected and presented as a background.

Analyzing the broad long-term needs

Based on the prepared background, analysis of the overall long-term information system need of the organization is defined. This entails an analysis of demand on resources for such information systems and the means to provide them.

Developing the long-range plan document

Formally documenting the above steps into a plan of action results in the creation of this document. This document typically contains information about the objectives, resources to be made available for the IS, future trends in demand for information within the organization, risks and opportunities in developing the IS and organizational issues pertaining to installation of such IS.

The medium-range information systems planning

This is a very important plan for developing the IS. It looks to satisfy the present information needs of the organization by implementing a portfolio of projects. The planning time horizon is one to two years and the focus is on the present. It normally contains the plan of action for the portfolio of IS projects, resource requirements for each, procurement of necessary resources for implementing the projects, staffing needs analysis, budgeting and funding issues, priority setting of the projects under development. This process of planning, resulting in the information systems, master plan document containing details on:

1. The present IS situation with regard to usage, ·technology, work force and other resources.
2. Analysis of the present IS situation.
3. Plan of action including prioritization of projects aligns it with the long-term plan of IS.
4. Policies under several operational heads like training, procurement, hiring, outsourcing, and security are given in these documents.
5. Financial implications.
6. Risk to projects.
7. Process of development and present status of each project under development.

The short-range information system planning

The time horizon for such a plan ranges from a few months to a year. Operational details and short-term goals and objectives are detailed out in this document. Normally the personnel of the information systems department are involved in the preparation of such a plan. It includes maintenance plan for existing systems, development plans for top priority systems, technical support required for the development, operations plan, training plan, staffing plan and financial plan containing practices and procedures for relevant issues, all in the short term of about a year.

One has to plan the information which the management information system will churn out for the different levels of management. The report structures, information flow, storage, information capture and its strategy, network, applications and security are all planned and designed before the system is created.

Normally, the stages of MIS development conform to a stage-wise development approach, with planning of the system being the first activity followed by analysis and design which in turn is followed by coding, testing and implementation. However, even though the broad stages may be used for most MIS development, the order is sometimes tweaked. Each of the activities given above for development of MIS is a difficult and intellectually stimulating set of tasks requiring technical and managerial skills. In some of the activities, the users are actively involved in arriving at the design of the system.

Normally, the system analyst and his team will be responsible for the majority of the stages in developing the management information system. This is required as the development process requires knowledge of both management and technology which most line manager’s lack.

Planning for MIS is probably the most important task in the entire development process. It is the activity which if done wrongly may lead to huge cost and time overruns in the development process. The planning process involves amongst other things the aligning of objectives of an organization with the objectives of the MIS. This activity requires strategic management orientation and a macro view of the needs and growth aspirations of the organization among other skills as the system will have to be relevant to the organization in the near future. If the organization outgrows the MIS, then the MIS will have to be redeveloped. This being costly, in both time and financial dimensions is to be avoided.

However, before we embark on planning, we must have an understanding of what we are getting in to. For this, it is very important to understand that IS development for which the planning is being done can be difficult or easy depending on a few factors. If the IS development according to the assessment of the factors is easy, planning will be done accordingly and if the assessment of the factors is such that the IS development is likely to be difficult then planning has to be detailed and management has to be involved more in the planning process. The factors also must be explained to the top management and the possible difficult areas must be clearly identified and monitored in the entire development process. The planning for all this then becomes a part of the IS planning process.

Information systems development becomes easy if there is:

1. A supportive management with a positive attitude
2. The existing IS is adequate
3. The objectives for the new IS is good and clear

In such a scenario, the IS development becomes easy and the IS that is developed delivers value and becomes acceptable to employees easily. However, if any or all of the above factors are not in favor, i.e., management is not supportive or has a negative attitude towards IS or if the objectives of the new IS are bad or if the existing IS is inadequate or all of the factors are together not in favor, then the IS development becomes very difficult. One must factor in these issues before commencing with the information systems planning process.

The Process of Development of Information System: A Typical Software Development Life Cycle

The process of development of information systems in an organization may vary from case to case but ideally the stages of development can be clearly demarcated. The process of development of information system involves the following stages:

1. Planning-planning is required as without planning the outcome will be below expectations. Planning sets the objectives of the system in clear and unambiguous terms so that the developer may conform to a well laid set of deliverables rather than a high-sounding statement that may mean little to him. Planning also enables the development process to be structured so that logical methodology is used rather than working in fits and starts. It ensures user participation and helps in greater acceptability and a better outcome from the development process. It leads to a system that is well balanced in both the managerial and technical aspects.
2. Analysis-is an activity of technical representation of a system. Over the years many methods have been developed of which the structured analysis and object oriented analysis are most widely used. This step or activity is the first technical representation in abstract terms of the system.
3. Design-is the stage where the model or representation of an entity or a system is done (in detail). It is based on the idea that the developer will be able to develop a working system conforming to all the specifications of the design document which would satisfy the user. ·It is a concept which has been borrowed from other branches in engineering where the blueprint of a system or entity to be built later is first created on a piece of paper or digitally to help developers in conceptualization of the system and to understand the specifications of the system.
4. Coding-is the actual stage of writing codes to develop the application software according to the specifications as set by the design document. The programming done at this stage to build the system is dictated by the needs of the design specifications. The programmer cannot go beyond the design document.
5. Testing-is the testing of the system to check if the application is as per the set specification and to check whether the system will be able to function under actual load of data. The testing is also done to remove any bugs or errors in the code.
6. Implementation-is the stage when the system is deployed in the organization. This is a process which often is a difficult one as it involves some customization of the code to fit context specific information in the system.

Before commencing IS planning, one must also identify the need for new information system. The above figure gives a flow chart to find out if the existing IS is fulfilling the objectives of the organization with respect to IS. Sometimes, an existing IS can be tweaked or redesigned to align it with the changing objectives and business needs of the organization but sometimes, that become too costly or technically infeasible, in which case, one has to start the process for a new IS. The above flowchart also gives us a tool to use to understand whether our existing IS is relevant for our business operations.

The Strategic of information systems planning is explained below.

The Ad Doc Approach

This approach towards development of information systems is the worst possible approach as people in the development process are in the process of perpetual fire fighting. There in no plan available and the development work is carried out as per wises of the developer based on his understanding of what the needs of the user should be. The outcome of this kind of approach is a set of systems that are not synchronized or synergized into one system but a host of systems that work in isolation.

The Data Collection Approach

In this approach, all possible data about the need for the system and about the system is collected. This approach assumes that information systems are best developed based on data from all quarters. This results in lack of focus and understanding as the systems development process gets mired unnecessarily into other issues, like projecting the future information requirement in granular detail by the user.

The Organization Chart Approach

In this approach the information system is developed with the organization structure in mind. It assumes that information strictly flows on the basis of organizational structures. Junctions of information exchange are made on an ad hoc basis which complicates the flow of information and brings in redundancy in the system.

Now that we know how not to approach IS development in an organization, let us discuss the appropriate approaches for IS development.

The Top-down Approach

The top-down approach is used to develop IS with the objectives in focus. The objectives of the IS become the most important priority. The objectives are clearly defined in the first step, followed by identification of the activities of the organization. This in turn is followed by the third step in which the decision-making needs of managers within the organization are analyzed and the necessary information flow for facilitating information delivery to managers for decision-making is understood in detail. Once all the details are available, the application is developed. In this type of system the objectives become the mainstay of the system. However, for this kind of system, the requirements from the systems have to be clearly understood upfront to avoid any problems in the development process. This is because the strategy of development is such that the design is not adequately dynamic.

The Bottom-up Approach

In the bottom-up approach, we find out the type of information that is produced in the operational subsystem and then work backward to integrate this with the entire IS structure to have an organization wide impact. In this design, there is more flexibility to change the information system deliverables even during the development process as the individual subsystems are not designed according to the demands of the upper layers as in the case of top-down approach. On the contrary, here the upper layers are integrated with the lower layer subsystems to create the IS. Thus, bottom-up systems can expand in response to real-world changes and needs of the organization.

The degree of success of any information management initiative or intervention in an organization depends upon the approach of the management of the organization towards such an initiative. If the approach is short term and the benefits or objectives envisaged is too narrow, then the information system remains only of marginal value.

On the other hand if the management is fully convinced of the need for such a system and gives it wholehearted support and backing, then naturally the process of information system development is adhered to in a more comprehensive manner, with proper planning, listing of objectives, proper analysis and design and proper implementation. This result in a superior information system that can not only fulfill the information needs of the organization in the present but can also continue to serve the organization in times to come.

The objectives and deliverables planned for such a system is well structured and the user, i.e., the managers who are involved in the planning and designing stage of the development process of the information system. There is no gap in the expectations and deliverables. This means that there is no misunderstanding between what the managers want from the system and what the developer designs the system to deliver. This leads to greater acceptability of the system within the organization and leads to greater return on investment as far as the organization is concerned. The training required for the managers is also much less if they are involved in the process of development.

Also the role of the top management comes to a focus in the development process. The top management by giving its full support may choose to send a message to the entire organization that leads to greater acceptability of the system and a lesser resistance to change. If the top management is ambivalent, problems of acceptability and conflict arise. Information systems are known to cause conflict, resulting from a resistance to change of mindset amongst employees. This behavior may to an extent be controlled without human resource intervention if the top management support is not only given to the project but also made well known across the organization. This means that communication is needed for the system and the support of the top management should be well communicated to the employees to gain greater acceptability and a smooth transition.

Most organizations choose to outsource the work of development of information systems to specialized IT firms. This brings to the fore the necessity to control the outsourcing process. The problem with the strategy of outsourcing the development work of information systems is that the outsourced agency may not understand the specific internal requirements of the organization. Specialized IT consulting firms are available to control this process on behalf of the organization. Typically, the IT consulting firm studies the needs of the organization and prepares a design document in consultation with the users, i.e., the managers of the organization and then the IT development firm develops the system by adhering to the design. Suitable control is exercised by the organization in which this information system will be implemented in the form of discussions, ratification of prototypes, etc., along with controls exercised by the IT consulting firm like comparison of design with the actual development. This ensures that the product is prepared as per plan and that any deviations are noticed during the development stage and not during the implementation stage. This ensures that corrective measures can be taken to rectify the mistakes, if any, without much on cost or time.

In some cases, the organization may choose to develop the information system with its own resources. This is difficult as in today’s world the technological development has been sogreat in these areas of information technology and communication technology that it may be almost impossible for normal organizations, i.e., whose main job is not IT consulting or IT development to garner the technical expertise of an IT development firm and then develop a system from scratch. This will not only be very costly for the organization but may lead to unreliable results. In such a case, the managerial objectives will be clear and well adhered to but the technical objectives may suffer.

Several categories of IS and BS relationships exit. Primarily, such relationships indicate the extent of maturity of an organization in the use of IS. An organization that uses IS for bringing in efficiency in its business processes is looking at IS from a different prism than an organization that is looking at IS to provide it with insights on how to be more competitive. The organizations are at different levels of maturity.

Using IS to Reduce Costs

Organizations use IS to bring in greater efficiency in their business processes to reduce cost of operations thereby also reducing the cost of offerings. Such a strategy of using IS with the motive of cost control alone takes a narrow view of the capability of IS in the overall scheme of doing business. In this case, IS follows the business strategy of cost reduction. Indeed IS are used as a weapon to implement the business strategy. IS in such organizations are structured and focused on delivering greater efficiency to the organization by streamlining the processes but is not tailored to provide the management of the organization.

Using IS to Differentiate Products and Services

Organizations at a higher maturity level of information system use it for creating a competitive advantage by helping organizations to take decisions that help in differentiation of products and services from their competitors. Organizations like Capital One, Google and NetFlix use the power of information to the fullest. They derive predictive value which enables them to be always one step ahead of competition as they are able to predict the direction of the market and differentiate their offerings to suit the market needs. They keep their ears close to the market pulse with the help of IS. They regularly check their own transaction data to see the emerging or changing patterns of customers who might help them to offer a new product or service to differentiate their offering. This requires complete top management support and a holistic approach towards IS. When the management is convinced of the benefits of IS and the organization as a whole has reached a degree of maturity in dealing with IS, then these kind of linkage with strategy and IS is possible.

Using IS to Focus on a Particular Market Segment

This is another example of IS being used in isolation. Organizations use IS to keep track of a particular segment of market which interests them. This sometimes requires integration of IS with external data sources.

Using IS to Build Stronger Linkages

IS can be an important tool to maintain linkages with your own network of suppliers and customers as the vendor relationship management systems run on this premise. A strong and reliable IS linking the organization with its business relations, like vendors, customers and regulators leads to better communication and understanding between the different business entities. This is another role in which IS is now being significantly used-the role of networking. In this role, IS is used more as a medium of communication rather than a decision support tools. In this role IS works as a source that determines the information flow among different business entities.

Using IS for Information, Knowledge and Leadership

IS can be used in itself as a strategy to provide the organization with information and knowledge leadership. The speed and insights provided by IS results in faster turnaround times for new products and services. Leadership in IS results in quicker and more incisive insights reaching the market from the organization. As Rand D times reduce, customer preference is easily mapped and organization is lean and always geared to manage change. This gives a strategic advantage to a firm.

Information systems when used for providing information to managers for their decision-making needs become a management information system. The goal of such information systems is to provide relevant information to management so that it helps in its functioning.

Since decision-making is the most important task performed by the management at different levels, information that helps managers to take decisions is the most important objective of any management information system. Other information that is relevant for managers in helping them in their planning, controlling, organizing and directing activity is the secondary objective of any MIS.

However, an information system is normally not dynamic enough to alter itself to a degree that it can handle changing requirements from users. Hence, information systems are planned to take care of every possible eventuality as far as type of information is concerned. Management may require diverse types and combination of information and this is factored in the planning process. The system is planned in a way that it can handle future new requirements of information from managers.

The business strategy of the company is very important in planning for information systems. The information systems plan is drawn up in a way that it supports the strategic objectives of the organization even in the near future. It is for this reason that the strategic role of information system has to be clearly defined in the planning processes itself.

What is Information System Strategy?

The information required to support business strategy and the development of information systems relevant to providing such information needs to be planned and fitted with each other. This alignment of business strategy with IS results in information systems strategy. It is a continuous process that helps the IS support structure to continuously remain relevant for any organization’s strategic goals and objectives.

Information System Infusion and Diffusion

Information systems can have the effects of infusion of diffusion in an organization. If the diffusion and infusion is low, information systems will be used only in silos for data processing. If diffusion is high and infusion is low then we will have a decentralized information system. If infusion is high and diffusion low, we will have information systems that are critical to operations only. However, if both diffusion and infusion is high, our information system will give us strategic and competitive advantage.

How can IS be Used Strategically

In the absence of a cogent strategy for IS, it will deliver information that may be of little strategic value. Moreover, operationally the different technology platforms used, different systems that make up the entire information systems of an organization may not work in a synchronized manner unless all the systems and technology conform to a bigger strategic vision. Incompatibility will be the rule rather than the exception. Business goals and objectives will not be largely affected (positively or negatively) by such direction less IS. Opportunities will be missed. With a tactical focus IS cannot deliver strategic value to organizations. IS therefore must have a strategic focus. It must be closely aligned with business strategy and must be driven by business needs rather than technological possibilities. It should be integrated with the organizational strategy to deliver information that helps management to beat competition and thereby use IS as a tool for competitive advantage. IS in such a case has to deliver predictive insights into business issues.

Why we need a strategic Approach to Information Systems

If we analyze the history of information systems and how they have been put to use in organizations, then we get to see three eras (Ward 1990). In the initial or first era, information systems were primarily used as data processing tools and the focus was improving efficiency of repetitive work by automating such data processing and back office work. In the second era, management information systems were the rage. MIS focused on improving information flow within the organization so that the right person gets the right information. Essentially, MIS was used as a reporting aid and thus by definition, reactive in nature. The third era of information systems is dominated by strategic information systems which work as a game changer in a competitive environment providing the organization with the upper hand. The focus in these kinds of IS is IT applications for predictive insights into the competitive market conditions and other strategic goals of the organization. In the present date, this kind of IS finds acceptability and is used extensively in the corporate world. The table below clearly lays down the differentiating characteristics of the different eras of IS.

                                   Strategy 1: Different Eras of Information Systems

Unless information systems fit into the broad strategy of the firm, it is likely to generate suboptimal results for the firm. The true potential of information systems can only be realized if the organization adopts a strategic approach towards the information system resource. IS in this regard should be considered as an asset that can provide insights that help in improving the business of the firm in any manner rather than as an expense (to get information about one’s own organization). Actually, IS should fit into the strategy of the firm and help in achieving the strategic objectives.

Information system needs a strategic orientation as without such orientation the will lose focus. More focus is given to technology whereas business needs are its primary focus. The strategic orientation of information systems helps it to have definable goals and objectives itself.

Information systems can be used strategically to:

1. Improve integration or process within the organization. This helps in improving overall efficiency and performance.
2. Link the organization with customers and suppliers. This ensures that the reaction time for the organization is low and that effectiveness of the firm improves.
3. To provide top executives with critical information about the organization. This helps in better management as information flow improves and leads to better decision-making.
4. To enable improvement in products and services. This helps in the competitiveness of the firm.

Use of Information Systems by Different Category of Companies

Information systems are used by different companies in different ways. One of the ways to find the use of information system in organizations is to use the BCG matrix. The use and adoption of information systems depends upon where they lie in the BCG matrix. Star companies use IS to improve products and services and for innovation, while, Dog companies use it for support and cost reduction only. Cash Cow companies use it to improve productivity and Wild cats use it for insights and differentiation.

McKinsey developed this model in the 1970’s to determine the ease or ability of an organization to adapt to change. The primary focus of this model is on coordination. It is an excellent tool for self-diagnosis of problems by organization as it clearly bares the problem areas of the organization and highlights them. Even though it was proposed in the 1970’s, it still has some use in today’s ever changing organizations. The component elements of this model are:

1. Style-the first constituent element of this model is the style of functioning of the organization, its organizational culture and climate.
2. Skills-the second element is the skill set of the organization and its people.
3. System-is the third element of the model. The processes and systems make the organization which are used to maintain control and used for directing.
4. Structure-is the fourth element of this model. It refers to the structure of the organization, i.e., rigid or flexible. It also indicates the powers of the executives and the channels through which the power is to be exercised.
5. Staff-is the fifth constituent of the model and it refers to the employees of the organization.
6. Strategy-is the sixth element and it stands for the activities that the organization indulges in for gaining competitive advantage in the market.
7. Shared value-is the seventh and last element of the model and it refers to the common set of values that each employee of the organization stands for. This has today gained importance in view of the series of corporate governance challenges that are being faced by the companies.

Information is required in both strategy planning and strategy implementation. Without the right information about opportunities, threats, markets and changes in business environment, competitors and their plans, the organization’s own strengths and weaknesses and government guidelines and polices, business strategy can neither be planned nor the planning be implemented with elan. Information thus plays a very crucial role in strategy. This fact was however ignored by the top management until the mid-nineties when top executives began to realize the connection and the potential to leverage information systems for strategy development and implementation. Today in most organizations there is a buy in by top management on this linkage between strategy and information systems. In fact, information systems are now being developed in a way that they are aligned to the strategy and help in its planning and implementation. Thus, a new concept of strategic information systems has developed. New developments in the field of information management and information systems have contributed to the development of this area.