Information Resource Management

Information Resources Management (IRM) is the process of managing

information resources to accomplish agency missions and to improve agency
performance, including the reduction of information collection burdens on the
public. When standardized and controlled, these resources can be shared and
reused throughout an agency, not just by a single user or application.

There are three (3) classes of information resources:

Business Resources: Enterprises, Business Functions, Positions (Jobs),

Human/Machine Resources, Skills, Business Objectives, Projects, and
Information Requirements.

System Resources: Systems, Sub-Systems (business processes), Administrative

Procedures (manual procedures and office automation related), Computer
Procedures, Programs, Operational Steps, Modules, and Subroutines.

Data Resources: Data Elements, Storage Records, Files (computer and

manual), Views, Objects, Inputs, Outputs, Panels, Maps, Call Parameters, and
Data Bases.

One of the important by-products of cataloging and cross-referencing

information resources is a model of the enterprise, including how it is
organized and how it operates. Other benefits include:

All information resources are controllable, permitting the ability to design

integrated systems and perform an “impact analysis” of a proposed resource
change.

The simplified search of information resources for reuse. The redundancy of

resource definition is eliminated.

Complete and current documentation of all information resources, in an

organized and meaningful way.

Communications within the organization are improved since developers and

users would use standard and common definitions for information resources,
all of which would be in standard business terminology.
Implementation of MIS

Implementation of a system is as much important as the creation of it.

Implementation can easily destroy the good work done in the earlier phases
and bring the system to a standstill. Implementation requires technical and
managerial skills as the implementers work as change agents. Implementation
is also a process that has a series of sequential steps which culminates in
making operational the new system.

Implementation Plan

It is the series of action-oriented steps planned for making the implementation

smooth. It normally involves the following steps:

 Creating a master schedule of the implementation activities

 Setting timelines for critical and non-critical activities
 Identifying major bottlenecks and their solutions
 Communication of the plan
 Organizing the MIS Department

The MIS department will be the custodian of the new system. Hence, they have
to be gear up to support the new system. Organization of the department is
therefore necessary before the new system becomes operational. The roles of
each member of the MIS department have to be clearly laid out before the new
system becomes operational. Effort is made to ensure that the role of the MIS
staff is understood by each member of the organization. Training is provided to
those who need training on the new system so that they in turn can help
others. This process of organizing the MIS department starts much before the
actual implementation process begins as it entails some hiring and training
which requires some lead time.

Selection and Procurement of Hardware

This step of the implementation process is an important step as it involves

huge investments. Proper care is taken to ensure that the organization gets the
best deal from such selection and procurement of the hardware.

Procurement of Software

The new system being implemented will have been created based on
assumptions of operating environment of the organization. Procurement of
system software is done on similar lines as the procurement of hardware. The
only difference in the case of procurement of software is that the choice of what
software to purchase is already made at the design stage of the system
development and hence, the RFP preparation process is straightforward.

Creating the Database

The new system to be implemented will have data stores. In modern systems,
data stores are databases. These databases are relational database
management systems, which is a separate application software package. The
database has to be created and structures inside the database have to be
created in order to enable it to store data. The implementation team creates the
database, its structures and rules so that the application system being
implemented can be plugged into the database and start working.

Training of Users

Implementation is a larger issue than installation. The new system may get
installed but without proper training of users, it may not be of good use.
Implementation is a larger concept and focuses on the installation and hand-
holding part of the transition process. A training needs assessment is done to
understand the training needs of the users. A training programme is planned
and the required training given to users. This is an important part of the
implementation process and helps in reducing the resistance to change related
behavior among the user community.

Creating Physical Infrastructure

The new system being implemented may require a physical infrastructure. The
implementation team must ensure that the system performance must not
suffer due to infrastructure bottlenecks.

Transition to the New System

This is the last step in the implementation process. The transition if done
wrongly leads to a lot of pain. Hence, it is necessary to move slowly on the
transition front.

Information System Controls

Information Systems controls are a set of procedures and technological

measures to ensure secure and efficient operation of information within an
organization. Both general and application controls are used for safeguarding
information systems.

General Controls
These controls apply to information systems activities throughout an
organization. The most important general controls are the measures that
control access to computer systems and the information stored or transmitted
over telecommunication networks. General controls include administrative
measures that restrict employee access to only those processes directly
relevant to their duties, thereby limiting the damage an employee can do. Some
general controls are as follows.

1. Software Controls – Monitor the use of system software and prevent

unauthorized access of software programs, system failure and computer
programs.

2. Hardware Controls – Ensure the computer hardware is physically secure

and check for equipment malfunctions. Computer equipment should be
specially protected against extreme temperatures and humidity. Organizations
should make provisions for backup or continued operation to maintain
constant service.

3. Computer Operations Controls – This include controls over setup of

computer processing jobs and computer operations and backup and recovery
procedures for processing that ends abnormally.

4. Data Security Controls – Ensures critical business data on disk and tapes
are not subject to unauthorized access, change or destruction while they are in
use or in storage.

5. Implementation Controls – Audit the system development process at various

points to ensure that the process is properly controlled and managed.

6. Administrative Controls – Formalize standards, rules, procedures and

control discipline to ensure that the organization’s general and application
controls are properly executed and enforced. Application Control

Application Controls

Application controls are specific to a given application and include measures as

validating input data, regular archiving copies of various databases, and
ensuring that information is disseminated only to authorized users. This can
be classified as input, processing and output controls.
1. Input Controls – Input controls check data for accuracy and completeness
when they enter the system. There are specific input controls for input
authorization, data conversion, data editing and error handling.

2. Processing Controls – Processing controls establish that data are complete

and accurate during updating. Run control totals, computer matching, and
programmed edit checks are used as processing controls.

3. Output Controls –Output controls ensure that the results of computer

processing are accurate, complete and properly distributed.

Controls in Network Information Systems

1. Firewall –The firewall acts like a gatekeeper that examines each user’s
credentials before access is granted to a network. The firewall identifies
names, internet protocol (IP) addresses, applications and other
characteristics of incoming traffic. It checks this information against the
access rules that have been programmed in to the system by the network
administrator. The firewall prevents unauthorized communication into
and out of the network, allowing the organization to enforce a security
policy on traffic flowing between its network and other untrusted
networks, including the internet. Firewalls can deter but not completely
prevent, network penetration by outsiders and should be viewed as one
element in an overall security plan. To deal with internet security
effectively, broader corporate policies and procedures, user
responsibilities and security awareness training may be required.

2. Intrusion Detection System –

In addition to firewalls, commercial security vendors now provide intrusion

detection tools and services to protect against suspicious network traffic
attempts to access files and databases. Intrusion detection systems feature
full-time monitoring tools placed at the most vulnerable places. The system
generates an alarm if it finds a suspicious event. Scanning software looks
for patterns indicative of known methods of computer attacks such as bad
password, checks to see if important files have been removed or modified
and sends warnings to the system administrator. Monitoring software
examines events as they are happening to discover security attacks in
progress. The intrusion detection tool can be customized to shut down a
particular sensitive part of a network if it receives unauthorized traffic.

3. Antivirus software –

Antivirus software is designed to check computer systems for the presence

of computer viruses. Often the software can eliminate the virus from the
infected area. However, most antivirus software is effective only against
viruses already known when the software was written. To remain effective,
the antivirus software must be continually updated.

Information Security

Computers and the Internet are all about information seeking, storage and
exchange. Hence, the topic of security in the digital realm relates to the
security of information. We need to operate in a climate where our
information is not stolen, damaged, compromised or restricted. The
Internet, in theory, provides everyone with an equal opportunity to access
and disseminate information. Yet, as many incidents have shown, this is not
always the case. Governments and corporations realize the importance and
value of controlling information flows, and of being able to decide when to
restrict them.

The security of information is further complicated by malicious individuals

creating computer viruses and hacking into computer systems, often with
no other motive than causing damage. The five features of a good
information security are confidentiality, integrity, authentication and non
repudiation.

Some of the information security mechanisms are as follows.

Windows Security

 Regularly update your operating system

 Know the locations of different files and documents on your computer

 Use a BIOS password to protect the computer at start up

 Use a lock screen function or password-protected screen saver to prevent

immediate access to your computer

 Do not use an empty password or reveal your password to others

 Be careful when installing new software or buying a computer with pre-

installed software.

Password Protection

 Create passwords which are 8 characters or longer

 Remember your passwords and keep them safe. Do not use easy to guess
password.

 Use numbers, small letters, capitals and symbols in your password.

 Never use the same password twice

 Do not use passwords which can be directly related or linked to your

personal life or interests.

 Do not share or tell anyone your important passwords.

 Change your passwords every 2-3 months.

 Remember that there are many programs available free on the Internet,
which will identify your

Windows password, wireless network encryption and just about any other
type of computer password you may have.

Information Backup, Destruction and Recovery

 A backup strategy should include: the files to be archived, the frequency

of updating the archive, location and storage of the archive.

 Sensitive information needs to be wiped from your computer.

 It is good practice to wipe temporary files, Internet cache and free space
on your computer.

 Take good care of your computer’s physical environment.

 If you lose a document, do a thorough search of your computer using the
Windows search function and analyse your hard disk with data recovery
software.

Encryption

 Encryption is the process of making your information inaccessible to all

but the intended party.

You can encrypt a message, an email or your entire computer.

 For secure communications utilise public key encryption. Our encryption

method consists of a public and a private key. We share the public key with
those who wish to communicate with us.

They then encrypt a message to us using our public key.

Malicious software and spam

 There are many types of malware, transmitted from computer to computer

in a multitude of different ways, causing untold damage to information.

 Install and regularly update your anti-virus, anti-spyware software. Run a

firewall and be extremely cautious when opening email or inserting media
into your computer.

 Spam is unsolicited junk email which today constitutes an enormous part

of all Internet traffic and has become a huge problem for people and
networks.

 Be careful with distributing your email address and never reply to or even
open spam messages.

Disaster Recovery Plan

Disaster Recovery is the process, policies and procedures related to

preparing for recovery or continuation of technology infrastructure critical to
an organization after a natural or human-induced disaster. DRP is a
continuous process. Once the criticality of business processes and
supporting IT services, systems and data are defined, they are periodically
reviewed and revisited.

Recovery Point objective (RPO) and Recovery Time Objective (RTO)

In a DRP, RPO and RTO are very critical that needs to be defined and
monitored. RPO is determined based on the acceptable data loss in case of
disruption of operations. RTO is determined based on the acceptable
downtime in case of a disruption of operations.

Steps involved in Disaster Recovery Planning

1. Identify the scope and boundaries of Disaster Recovery Plan.

2. Carry out a Business Impact Analysis (BIA)

3. Prepare the actions to recover for each disaster

4. Get the approval to DRP from the senior management

5. Each business unit need to understand its role in plan and support to
maintain it.

6. The DRP project team must implement the plan and periodically check
the status.

Few strategies to recover the Business Data in a Disaster situation

1. Backup made to tape and send off-site at regular intervals (Preferably

daily)

2. Backups made to disk on-site and automatically copied to off-site disk, or

made directly to offsite disk.

3. Replication of data to an off-site location, which overcomes the need to

restore the data.

4. High availability systems which keep both the data and system replicated
off-site, enabling continuous access to systems and data.

5. Wide area network optimization technology – helps improve the disaster

recovery and increases network response time.

Benefits from Disaster Recovery Plan

 Information is a critical resource to any organization that helps to achieve

the business objectives.

 Continuity of the Business – Ability to continue the business and serve

the customer is another important result due to DRP.
 Credibility from existing stakeholders – The organization is able to keep
the loyalty from the existing stakeholders and this will help the company to
strengthen the position.