Information Systems Operations

1
Information Systems Operations

• IS Operations (Chapter 9)
• Practicum Cendant Corporation

2
What are Operations

• Development and Test
• Production
• Outsourcing and Utility Computing

3
Two Components

• Or you might consider them two sides to one
  system
• Business Operations
• All the tangible physical things that go on in a
  corporation
• Computer Operations

4

• Business Computer Operations

5
Computer Operations

• Only a subset of business operations are
  computerized (automated)
• Computers do the following well
• High-speed arithmetic operations
• Storage and search of massive quantities of data
• Standardization of repetitive procedures
• All other Business Operations require human
  intervention

6
Human Intervention

• Even computer operations require human
  intervention at some level
• E.g., turning the computer on and off
• In both business and computer operations
• Human interventions demand the most auditing

7
Automation Operations Objectives

• Operations should be about following
  predetermined procedures
• The appeal rests largely on the ability to reduce
  or alter the role of people in the process
• The intent is to take people out of the loop
  entirely,
• Or to increase the likelihood that people will do
  what they are supposed to do, and that they do it
  accurately
• People are flexible and clever
• We sometimes dont want to take people out of the
  loop on a lot of systems
• The problem is when a lot of things break at the
  same time.
• Therell probably be a few things that are hard
  to fix, a cascade of effects.

8
Computerized procedures

• Fully automated (computerized) procedures
• Can be audited once with a small data set
• And these results can be considered to hold over
  time

9
_at_ Boeing?
10
The Glass House
11
Mass Storage

• Mass Storage at NASA

• Z Microsystems TranzPacs
• Shared chassis - shared peripherals.
• Less space, less weight, less power, less cost.
• Hot-swappable sealed computer modules (SCM) and
  disk modules.
• Mix match platforms and OS's.
• Independent stand-alone systems.
• Shared peripheral clusters.

12
Server Farms
13
Systems Life Cycle
Audit Here!
14
Operations ObjectivesWhat to look for in an audit

• Production jobs are completed in time
• Output (information) are distributed on time
• Backup and recovery procedures are adequate
  (requires risk analysis)
• Maintenance procedures adequately protect
  computer hardware and software
• Logs are kept of all changes to HW SW

15
Case Study Manual versus Automated Scheduling

• pp. 187-189
• Question Why is automation important?

16
Backup and Recovery Objectives Best Practices

• Determination of appropriate recovery and
  resumption objectives for activities in support
  of critical markets.
• Core organizations should develop the capacity to
  recover and resume activities within the business
  day on which the disruption occurs.
• The overall goal is to resume operations within
  two hours
• Maintenance of sufficient geographic dispersion
  of resources to meet recovery and resumption
  objectives.
• back-up sites should not rely on the same
  infrastructure components used by the primary
  site, and
• back-up operations should not be impaired by a
  wide-scale evacuation or inaccessibility of staff
  that services the primary site
• Routine use or testing of recovery and resumption
  arrangements.
• Testing should not only cover back-up facilities
  of the firm,
• but connections with the markets,
• third party service providers
• and customers
• Connectivity, functionality and volume capacity
  should be covered.

17
How Does Backup Recovery Fit into your Risk
Assessment Framework?

• Your Toolkit Computer Inventory, Risk
  Assessment Matrix, Dataflow Diagrams and Systems
  Components Hierarchy

18
Prioritizing Backup Recovery Tasks

• Find the critical transactions (High value High
  volume)
• Identify the critical applications for processing
  these transactions
• Identify the critical personnel
• including those you may not have hired or defined
  jobs for
• Who are essential to processing these transactions

19
Case Study NYSE after 9/11CNET interview with
NYSE's chief technology officer Roger Burkhardt

• Were most of the trading firms in the area that
  connect with your systems all up and running by
  930 am on Monday (September 17)? Were there any
  from outside or in the area unable to participate
  in trading that morning? We had lost a lot of
  telephone lines that bring in data to our
  computer centers and also voice lines to the
  floor, which would have meant that we would not
  have had full access by all members. That raised
  some public policy issues, particularly for the
  retail investor if their broker-dealer is the
  one who doesn't have connectivity, they would be
  disadvantaged.
• "I think September 11 was the biggest challenge
  that our technical team has had to face in recent
  years." So NYSE faced a connectivity issue on a
  uniquely massive scale?There was a connectivity
  issue that affected not just our market, but all
  markets. There was also the fact that there were
  a number of firms that were scrambling to get
  into their back-up facilities. A number of large
  firms like Morgan Stanley and Merrill Lynch were
  affected. And then there were firms like Goldman
  Sachs, just down the street from here, who were
  like us in that their building was undamaged. In
  fact, the Merrill Lynch building was also
  undamaged, but they were just not allowed to come
  in because the authorities quite rightly wanted
  to focus on rescue operations. That affected all
  the markets. Clearly, if you want a market, you
  want it to be a fair market, with breadth of
  access. You don't want one retail investor to not
  be able to get through to sell or buy.
• So by Monday, how did you manage to connect all
  the firms that connect to your systems? We
  worked with member firms for the balance of that
  week to help them re-establish connectivity. We
  worked very closely with Verizon, whose staff did
  a tremendous job. We have a subsidiary called
  Securities Industry Automation Corporation. It's
  been around for over 25 years and provides data
  processing and communications capabilities for
  the securities industry. It was initially set up
  by the NYSE and the American Stock Exchange, but
  also provides services to a broader part of the
  industry--for example, market data systems for
  equities and options. It also is the collection
  point for all the post trade information for all
  instruments. What is important about that is that
  because so many of us use them, they have
  telephone lines coming in from everybody. They
  play this hub role where they can effectively use
  communications set up for one purpose in an
  emergency to recover something else.
• "With the potential for cyber threats, the advice
  I get is, 'Don't tell anyone about anything we
  are using.'" What other platforms are you using?
  I just used that as an example that we are not a
  trailing edge adopter. And I am a little sad
  about this because I enjoy talking about a bunch
  of technologies here from many great companies
  like HP, IBM and others. But with the potential
  for cyberthreats, the advice I get is, "Don't
  tell anyone about anything we are using.

20
Business Operations

• Computer Operations are a subset of business
  operations

21
Case Studies

• CS 9.3 to 9.7 pp. 195-202
• Question Can you recognize the control
  weaknesses
• What is the Risk from inadequate control in
  each.

22
Practicum Fraud Risk The Internal Control
Environment

• Cendant Corporation