Uses of Information Systems – Conclusion
5.1 Information and Data within an organisation
Data enters a company’s information system either as external or internal data and output may likewise go to external or internal destinations. As data flows through an organisation it is processes in a variety of ways and presented in a variety of forms. At each stage, information can be of differing degrees of quality and this can be affected by how much it is processed or presented. For information to be useful, it must be of a consistently high quality.
5.2 Information Systems within an organisation
Businesses are made up of a wide variety of people with a wide variety of roles. All businesses depend on each of these people playing their part. People throughout the organisation need information, whether their role is at the operational, tactical or strategic level. Simple data processing systems do not afford all the facilities required by these people. Information systems are required to transform transaction data into a form that is useful to managers.
5.3 Management Information Systems
MIS are specialist systems used to assist management within an organisation. Effective use of MIS can be a huge benefit to decision makers. Drawing input from a transaction processing system, the MIS facilitate planning and provide access to live data concerning operations within an organisation. Data from throughout an organisation is summarised in a way relevant to users.
5.4 Strategies used within Management Information Systems
The use of MIS is part of an overall business strategy within an organisation and is maintained as such. A large number of factors influence MIS, both internal and external, and its success or failure depends on its ability to adapt. Consequently, a thoroughly considered information strategy is essential to plan for the future and to manage change within an organisation’s environment.
5.5 Developments and Change within Management Information Systems
Systems may fail through poor research and planning. To avoid this, changes within MIS and the changes MIS impose upon an organisation must be well managed. Many organisations benefit from decision support systems and expert systems, in addition to MIS, which can recommend and explain course of action or even make necessary decisions.
5.6 Security and Legal Issues within a Management Information System
Many potential security problems accompany new technologies. These threats must be taken seriously and guarded against, lest data is destroyed or removed either by accident or on purpose. Legislation exists to deal with the use and abuse of ICT. Specifically the Data Protection Act 1998, the Copyright Designs and Patents Act 1998 and the Computer Misuse Act 1990 are addressed. These laws have implications for organisations which must ensure their employees are not using company systems for illegal purposes.
5.7 User Support and Training within a Management Information System
Many people do not use ICT efficiently because they have inefficient ways of working. As a result, companies must manage training for all employees in a way that gets the best results, both in terms of productivity and motivation. This training can be provided in a number of ways and many training methods available to companies are also available to private individuals. Support must be provided for people who need help when using their computers, and there are a variety of methods of providing this.
5.8 The Social Impact of Management Information Systems
MIS have had a wide, often unnoticed, impact on individuals, organisations and society and this impact has affected how many individuals plan for the future and organise daily operations. Both the working life and the leisure time of many people has been addressed as a result. Our generation now lives in an environment that is very different from the environment our parents grew up in, and many of these differences are either a direct result or an indirect result of the use of MIS.
Wednesday, April 23, 2008
5.7 User Support and Training within a Management Information System
5.7 User Support and Training within a Management Information System
No matter how good a system is, it will fail to reach its potential if it is not used properly. Yet, despite this fact, many users adopt inefficient working methods simply because they do not know how to use it to its full potential.
This section deals with the training of users and the process of solving users’ problems once they are trained.
5.7.3 Types of Training and Support
A variety of training methods are available to companies and to private individuals. These are chosen depending on the needs of the company or individual concerned, although not all methods may be suitable in all scenarios.
Documentation supplied with a software package
Most packages are supplied with user guides, and provided the user has a reasonable amount of knowledge, this is a useful first line of support. If the user has very basic skills, the guide may be confusing, particularly if the documentation uses a number of technical terms.
User documentation can be supplied in one or more of the following formats:
- Getting Started instructions. Includes basic instructions on how to install software or hardware and often refers to printed or electronic manuals for further help.
- Printed Manuals. Due to high printing costs they are not usually supplied with commercial packages any more, although users have the option of paying extra for them.
- Manuals supplied on CD. Many vendors supply entire manuals electronically instead of printing them, It is cheaper and easier to search than a printed manual.
- A searchable help index. This allows the user to type keywords relating to their query to search all available help topics.
- Tutorials built into online help. These take users step-by-step through common tasks
- A list of FAQ’s. Many users can learn a lot from browsing through a compiled list of common queries and their answers
- Tip-of-the-day. When some applications start, a random tip is displayed, often telling them of a feature in the product that they may not be aware of.
Computer Based Training
This extends the idea of the tutorials which are built into the package by adding a separate program that replicates aspects of the software that a user is being trained to use. The tutorial takes users through a series of exercise and may have a test at the end.
Telephone Help Desks
Many vendors operate support lines for their products. The advantage is that users can describe the problem to someone who had often seen the problem many times and knows precisely how to help. If the user can’t describe the problem or if the support personnel do not understand the problem, frustration may occur.
Online user groups
Many programs have unofficial groups of users who help each other, often via an online conference. Experienced users often welcome the interests of new people and are willing to help them. Archives of old material from groups are often available on the internet.
Vendor Newsletters
These are often sent to registered users of products, usually by e-mail. A newsletter can tell customers about product updates are other services provided by the vendor. It can also be used to tell customers of security alerts immediately. Newsletters will often include useful tips on using the software.
Organised Training Courses
In an organised training course the user receives personal attention from a tutor and can compare learning experiences with others. Although this training must be paid for, many people find that it is a worthwhile investment.
People usually take part in these courses to learn about unfamiliar software or to gain formal qualifications.
Companies can also use training courses, and often fund employees to complete formally recognised courses in their own time. A company may arrange for employees to be sent on a few days/weeks intensive training on one single topic. Those trained may then be expected to train their colleagues.
This is more expensive but has the advantage that an ‘expert’ is present within the organisation.
Large organisations may even run training course in-house, where a group within the company will have the responsibility of providing training courses for staff. This has the advantage that courses are designed for exactly what the company requires. However the expertise may not be available internally. In this case a company may choose to out source their training. This ensures that tutors are proficient in the subject taught. However it may not be possible to tailor courses to a company’s precise needs.
A major advantage of training courses over any other form of training is that a person’s time is dedicated to training alone. The course usually takes place outside the usual workplace and therefore well away from distractions.
Video Training
This involves a user, a series of videos, and a set of exercises to follow. The video tutor describes and demonstrates a topic, and may refer users to exercises. If the users miss something they can rewind and watch again, but have no opportunity for questions. Companies can invest in a set of tapes as a “one off” and pass them around employees, rather than sending many people on the same course at a huge cost.
Printed Tutorials
Theses are unlike the workbooks used in some schools and take a student through the main features of common software packages. A good index allows the user to find topics of particular interest if they do not want to work through the entire book. Such material can be provided by software developers or may be written by a third party. It may be presented as a book or a series of tutorials in a periodical.
Company Intranets
Intranets can be used to publish support material that has been written internally or for hosting company wide forums. Some companies prefer to use and intranet to hos their internal discussion boards because of concerns over the security of sensitive material and also the accidental redistribution of copyright material.
5.7.4 Choosing training and support methods
The precise nature of the training and support chosen depends on a number of factors. For private users, the financial cost will be a greater concern than it is to large companies. However, within a company, other costs will be considered such as the disruption caused by sending an employee on a course, as compared to the costs of them using equipment inefficiently.
Other considerations include the following:
- Needs of the User
For example. Senior management have different training needs from a secretary. Likewise, new graduates need different training regarding the operations of a network than a senior network manager. The contents of any training must be relevant to those being trained.
- Qualifications Awarded
Popular suppliers, such as Novell, Microsoft and Cisco certify training. Employers often prefer such a course because they know it is of a definite standard. Employees may also prefer them because it gives them something valuable for their cv.
- Is the software off-the-shelf or bespoke
For bespoke software, a company may have little choice but to use the vendor as the source of training until they have sufficient internal expertise
- Is the software popular?
If the software has been available for a long time a number of dedicated materials and courses are probably available online. If new software is likely to have a wide user base, training organisations will probably develop courses as soon as it is available, or use pre-release copies of the software to prepare in advance.
- Level of the course
Before choosing a course or a book, it is important to know if it is aimed at novice or advanced users.
- Does it disrupt work?
In some environments, tutorial methods that do not take a person away may be preferred. This is often true if the material involved is not vital to work at that moment in time e.g. if they are researching it for future use. For some course it may be desirable to get away from all distractions.
- Cost
Sending people on training course is expensive. If managements do not feel employees will significantly benefit, other training methods will be preferred.
No matter how good a system is, it will fail to reach its potential if it is not used properly. Yet, despite this fact, many users adopt inefficient working methods simply because they do not know how to use it to its full potential.
This section deals with the training of users and the process of solving users’ problems once they are trained.
5.7.3 Types of Training and Support
A variety of training methods are available to companies and to private individuals. These are chosen depending on the needs of the company or individual concerned, although not all methods may be suitable in all scenarios.
Documentation supplied with a software package
Most packages are supplied with user guides, and provided the user has a reasonable amount of knowledge, this is a useful first line of support. If the user has very basic skills, the guide may be confusing, particularly if the documentation uses a number of technical terms.
User documentation can be supplied in one or more of the following formats:
- Getting Started instructions. Includes basic instructions on how to install software or hardware and often refers to printed or electronic manuals for further help.
- Printed Manuals. Due to high printing costs they are not usually supplied with commercial packages any more, although users have the option of paying extra for them.
- Manuals supplied on CD. Many vendors supply entire manuals electronically instead of printing them, It is cheaper and easier to search than a printed manual.
- A searchable help index. This allows the user to type keywords relating to their query to search all available help topics.
- Tutorials built into online help. These take users step-by-step through common tasks
- A list of FAQ’s. Many users can learn a lot from browsing through a compiled list of common queries and their answers
- Tip-of-the-day. When some applications start, a random tip is displayed, often telling them of a feature in the product that they may not be aware of.
Computer Based Training
This extends the idea of the tutorials which are built into the package by adding a separate program that replicates aspects of the software that a user is being trained to use. The tutorial takes users through a series of exercise and may have a test at the end.
Telephone Help Desks
Many vendors operate support lines for their products. The advantage is that users can describe the problem to someone who had often seen the problem many times and knows precisely how to help. If the user can’t describe the problem or if the support personnel do not understand the problem, frustration may occur.
Online user groups
Many programs have unofficial groups of users who help each other, often via an online conference. Experienced users often welcome the interests of new people and are willing to help them. Archives of old material from groups are often available on the internet.
Vendor Newsletters
These are often sent to registered users of products, usually by e-mail. A newsletter can tell customers about product updates are other services provided by the vendor. It can also be used to tell customers of security alerts immediately. Newsletters will often include useful tips on using the software.
Organised Training Courses
In an organised training course the user receives personal attention from a tutor and can compare learning experiences with others. Although this training must be paid for, many people find that it is a worthwhile investment.
People usually take part in these courses to learn about unfamiliar software or to gain formal qualifications.
Companies can also use training courses, and often fund employees to complete formally recognised courses in their own time. A company may arrange for employees to be sent on a few days/weeks intensive training on one single topic. Those trained may then be expected to train their colleagues.
This is more expensive but has the advantage that an ‘expert’ is present within the organisation.
Large organisations may even run training course in-house, where a group within the company will have the responsibility of providing training courses for staff. This has the advantage that courses are designed for exactly what the company requires. However the expertise may not be available internally. In this case a company may choose to out source their training. This ensures that tutors are proficient in the subject taught. However it may not be possible to tailor courses to a company’s precise needs.
A major advantage of training courses over any other form of training is that a person’s time is dedicated to training alone. The course usually takes place outside the usual workplace and therefore well away from distractions.
Video Training
This involves a user, a series of videos, and a set of exercises to follow. The video tutor describes and demonstrates a topic, and may refer users to exercises. If the users miss something they can rewind and watch again, but have no opportunity for questions. Companies can invest in a set of tapes as a “one off” and pass them around employees, rather than sending many people on the same course at a huge cost.
Printed Tutorials
Theses are unlike the workbooks used in some schools and take a student through the main features of common software packages. A good index allows the user to find topics of particular interest if they do not want to work through the entire book. Such material can be provided by software developers or may be written by a third party. It may be presented as a book or a series of tutorials in a periodical.
Company Intranets
Intranets can be used to publish support material that has been written internally or for hosting company wide forums. Some companies prefer to use and intranet to hos their internal discussion boards because of concerns over the security of sensitive material and also the accidental redistribution of copyright material.
5.7.4 Choosing training and support methods
The precise nature of the training and support chosen depends on a number of factors. For private users, the financial cost will be a greater concern than it is to large companies. However, within a company, other costs will be considered such as the disruption caused by sending an employee on a course, as compared to the costs of them using equipment inefficiently.
Other considerations include the following:
- Needs of the User
For example. Senior management have different training needs from a secretary. Likewise, new graduates need different training regarding the operations of a network than a senior network manager. The contents of any training must be relevant to those being trained.
- Qualifications Awarded
Popular suppliers, such as Novell, Microsoft and Cisco certify training. Employers often prefer such a course because they know it is of a definite standard. Employees may also prefer them because it gives them something valuable for their cv.
- Is the software off-the-shelf or bespoke
For bespoke software, a company may have little choice but to use the vendor as the source of training until they have sufficient internal expertise
- Is the software popular?
If the software has been available for a long time a number of dedicated materials and courses are probably available online. If new software is likely to have a wide user base, training organisations will probably develop courses as soon as it is available, or use pre-release copies of the software to prepare in advance.
- Level of the course
Before choosing a course or a book, it is important to know if it is aimed at novice or advanced users.
- Does it disrupt work?
In some environments, tutorial methods that do not take a person away may be preferred. This is often true if the material involved is not vital to work at that moment in time e.g. if they are researching it for future use. For some course it may be desirable to get away from all distractions.
- Cost
Sending people on training course is expensive. If managements do not feel employees will significantly benefit, other training methods will be preferred.
5.6 Security and Legal Issues within a management information system
5.6 Security and Legal Issues within a management information system
By the end of this section you should be able to describe:
- The threats to a company’s information systems
- The need for a security policy and what It contains
- The measures in place to avoid or minimise the impact of disasters
- The laws that relate to ICT and their implications on companies and society.
5.6.2 Threats to an organisation
There are several types of threats to an organisations data, including the following:
- Events completely out of an organisation’s control, such as natural disaster, fire, war or terrorism
- Events which happen, but the frequency of their occurrence can be controlled, such as operator error, faulty software or hardware failure
- Threat’s from the internet, such as hackers, viruses and ‘Trojan’ horses.
- Insecure communication channels e.g. intercepted phone calls, e-mails or letters (from within a company’s own post room) or employees removing secure data.
- Unauthorised access to premises including break-ins or imposters e.g. thieves posing as workmen and stealing property or data.
- Ex-employees who access company systems from the outside world to cause damage.
The impact of these threats can be minimised if managed properly. That’s why businesses should consider a proper security policy.
5.6.3 Security Policies
A security policy is a set of documents outlining a company’s assessment of threats and proposed ways of dealing with them.
It is normally the final responsibility of a director of the firm to ensure this policy is implemented. A security policy is the most critical element of an ICT security programme as it defines how all other aspects of security will operate.
A good security policy should do the following:
- Assess Risks
This includes noting who has access to different types of data and the consequence of losing access to it, as well as the consequences of software failure and theft, either by physical or electronic means.
- Implement ‘layers’ of security
Many obstacles should be placed in the way of any person with malicious intent. These include physical security, access controls, secure communications, audit trials and usage monitoring, anti-virus software and personnel security.
- Educate Users
Many security problems result from human error and can be avoided by encouraging employees to act responsibly.
Layers of Security
Physical Security
Unwanted visitors can be prevented or deterred by methods such as:
- bars on windows, especially at ground level.
- armed guards
- electrified fences
- walls topped with barbed wire
- Visible security cameras
Access Controls
It Is normal to have a system of user identities and passwords to restrict access. Some firms go further:
- A swipe card reader at each terminal, which recognises the door pass only of people authorised to use that machine.
- Disabling an employee’s user account when that person is not supposed to be at work and forcing employees to log off during breaks.
- Preventing employees from accessing more that one terminal at a time.
- Password protected screensavers which activate if an employee forgets to log off or is temporarily away from their desk.
- Disabling accounts that have incorrect passwords entered on multiple attempts.
- Disabling accounts of former employees
- Biometric measures, such as fingerprint or iris recognition.
Passwords
Passwords should be:
- regularly changed. Many companies force employees to change passwords at set intervals and block network access to anyone ignoring this or trying to use an old password.
- Contain numbers as well as letters.
- Be held in an encoded file which can be decoded only by network software.
Access Rights determine the way in which users may access particular files or records.
Within a database, users may have the ability to view particular data (i.e. read access), modify it (edit access), create new files (write access) or, in the case of programs, run them (execute access).
Secure Communications
It is vital that communications are secure. For example companies may insist that all internet communication is encrypted which can prevent the actions of certain virus or Trojan horse programs. Without blocks on unauthorised programs, such programs could be used to send private data out of a company without the user realising whats happening.
Also the use of a firewall can prevent access by hackers. A firewall makes a network or pc appear invisible to the outside world. A firewall can also block unauthorised programs sending or receiving data.
Audit Trials and Monitoring Usage
It is good practice for transactions to be monitored at all stage of processing. This benefits both company and customer. If anyone changes a record, a record is kept of who made the change and what they did.
An audit trial is generated by a system for the benefit of accountants. It allows them to follow all stage of all transactions easily. Public companies have to be able to give account of all money and business in order to prevent fraud. All business documents, including e-mail, must be recorded for six years as part of this. Log files are generated each time a user logs on, accesses a record or changes a file. With the correct software, It is possible to monitor everything an employee does. While this is useful in accounting and certainly reduces wasted time, it may create fears of management ‘snooping’. Employees guilty of wrongdoing have little defence.
Anti-Virus Software
All PCs should have effective anti-virus software installed and regularly updated. All modern viruses spread rapidly, an out-of-date virus checker is of little more use than one that is not installed at all. Many viruses spread as infected files attached as e-mails that trick users into opening them. Many viruses are targeted as security vulnerabilities in some software, for example Microsoft Outlook and some versions of Microsoft Windows. For this reason, security updates to software must be installed if they are available.
Personnel Security
Firms must be careful about who they employ, both to ensure they do not have an interest in rival firms, and to ensure that they are not potential hackers.
5.6.5 What determines a good ICT security policy?
A good ICT security policy:
- Has realistic aims, in relation to the purpose of the organisation.
- Identifies areas of responsibility for users, administrators and management. Everybody should be able to do their part without worrying about other people doing theirs.
- Provides clear and complete guidance to those involved in security incidents, which prevents foolish decisions being made as a result of people panicking.
- Defines how incidents will be handled. In addition to guidance given to people involved at the time, there should be a clear set of steps relating to further investigation, software modification, informing other people in the organisation and even the media.
- Is flexible and can be updated according to changes in technology or the organisations ‘mission’. As a result of technology changes, a security policy that was excellent 10 years ago may be inadequate today. For example, e-mail borne viruses were unheard of ten years ago as were hackers taking advantage of internet chat facilities. Any organisations that adopts new technologies or ways of working must evaluate new risks.
- Is the responsibility of a senior member of the organisation because of the importance of security, though they may delegate certain roles.
One of the main factors in security breaches can be staff. A security policy should identify the roles and responsibilities of users and make provision for their education.
In this section, the policy should contain the following
- Procedures for obtaining network access and deciding what data users may and may not access. Users should have access only to programs that they need. In some firms users might not have ‘full’ access to data until they have earned trust, working under direct supervision for a time.
- A statement of what is and is not acceptable for personal use of computer systems. Usage of the internet may be monitored to prevent illegal or immoral material being accessed from company machines
- Procedures concerning passwords, including how often passwords are changed and procedures for dealing with those who are not responsible for passwords.
- Procedures for using removable storage devices since these can introduce viruses or can be used to remove secure data.
- An identification of acceptable standards in the use of e-mail. For some firms e-mail is informal and can therefore cause problems.
- Restrictions on installing applications and hardware because unauthorised installations may pose a risk to data o conflict with existing hardware.
- Procedures for remote access. If a user is granted remote access there will be tight controls, such as allowing only a company laptop to be used or installing approved security software on the employee’s own PC. Callback procedures should also be in place.
- Security Awareness Testing to make users aware of the ‘hows’ and ‘whys’ if security.
- Discipline procedures. Every user must be thoroughly briefed on conduct that is not acceptable and should be aware of the consequences of ignoring this. In some companies, employees who ignore the issues listed above are given ‘final warnings’ or even sacked for their first offence.
Backup and Recovery Plans
Even with the best security policy in the world, mistakes will be made. For example, an unknown gap in security can be exposed by a hacker or human error. While it is possible to only focus on ‘big’ threats, smaller problems such as a user deleting a vital file by mistake should not be neglected. Procedures for backing up data in a safe place, and for recovering it when necessary, are vital.
A backup and recover policy written in a self-contained section of a security policy, will ensure that all data can easily be recovered in the event of catastrophe.
A backup and recovery plan should:
- Ensure all files are backed up at specified, frequent, intervals;
- State how long backups are to be held
- State how and where files will be backed up.
- State how files will be restored, for example:
1. In the event of human error, by restoring only selected files
2. In the event of electronic attack, by identifying and restoring affected files;
3. In the event of catastrophe, by relocating personnel and restoring data to servers at the new premises.
5.6.6. The law and ICT
There are three main laws governing the use of ICT.
1. The Data Protection Act 1998
The data protection act governs the use of personal data. It defines the;
- Rights of data subjects (people whose data is stored);
- Responsibilities of data users (people who store and use the data)
Under the Data Protection Act organisations using personal data are required to register with the Information Commissioner and state who they are, what data will be held and what it will be used for. There are a number of exceptions including data held for personal, family or recreational purposes (such as an e-mail address book or a Christmas card list), processing wages, and data relating to nation security or crime prevention. ‘Personal data’ is any data from which a person can be identified and covers both facts and opinions about the individual.
Data users must adhere to eight principles of data protection to ensure that data is
- Fairly and lawfully obtained and processed
- Held only for specific purposes
- Not used in a way that is incompatible with the purpose it was obtained for
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept longer than necessary
- Processed in accordance to the data subject’s rights
- Kept secure
A data subject has the right to:
- Access data held about them (a small administration fee may be charged for this);
- Have errors corrected, and to seek compensation for damages arising from such errors;
- Compensation for the unauthorised disclosure of data.
2. The Copyright Designs and Patents Act 1998
Although it refers to a wide range of areas, in the contextof a computer user, this prohibits people copying software that they do not have permission to copy, as well as using software that other people have illegally copied. This means any business must ensure that the software they use is properly licensed. This law also has effects on the individual. For a PC owner it may mean that some software the are using, or some music they listen to, is being accessed illegally.
3. The Computer Misuse Act 1990
The Computer Misuse Act 1990 classes the following as offence, which may lead to fines and/or imprisonment.
- Accessing data without permission, whether that data is held securely or not.
- Accessing a program on any computer system without proper authorisation.
- Modifiying the data or programs on a computer system without permission.
- Restricting the ability of other people to access computer systems tot which they should have access.
- Using a computer system to facilitate any crime.
The above applies whether a person commits the offence themselves, enables others to commit them, or writes a program (e.g. a virus) that will have the same effects, and regardless of whether any changes made or permanent or temporary.
By the end of this section you should be able to describe:
- The threats to a company’s information systems
- The need for a security policy and what It contains
- The measures in place to avoid or minimise the impact of disasters
- The laws that relate to ICT and their implications on companies and society.
5.6.2 Threats to an organisation
There are several types of threats to an organisations data, including the following:
- Events completely out of an organisation’s control, such as natural disaster, fire, war or terrorism
- Events which happen, but the frequency of their occurrence can be controlled, such as operator error, faulty software or hardware failure
- Threat’s from the internet, such as hackers, viruses and ‘Trojan’ horses.
- Insecure communication channels e.g. intercepted phone calls, e-mails or letters (from within a company’s own post room) or employees removing secure data.
- Unauthorised access to premises including break-ins or imposters e.g. thieves posing as workmen and stealing property or data.
- Ex-employees who access company systems from the outside world to cause damage.
The impact of these threats can be minimised if managed properly. That’s why businesses should consider a proper security policy.
5.6.3 Security Policies
A security policy is a set of documents outlining a company’s assessment of threats and proposed ways of dealing with them.
It is normally the final responsibility of a director of the firm to ensure this policy is implemented. A security policy is the most critical element of an ICT security programme as it defines how all other aspects of security will operate.
A good security policy should do the following:
- Assess Risks
This includes noting who has access to different types of data and the consequence of losing access to it, as well as the consequences of software failure and theft, either by physical or electronic means.
- Implement ‘layers’ of security
Many obstacles should be placed in the way of any person with malicious intent. These include physical security, access controls, secure communications, audit trials and usage monitoring, anti-virus software and personnel security.
- Educate Users
Many security problems result from human error and can be avoided by encouraging employees to act responsibly.
Layers of Security
Physical Security
Unwanted visitors can be prevented or deterred by methods such as:
- bars on windows, especially at ground level.
- armed guards
- electrified fences
- walls topped with barbed wire
- Visible security cameras
Access Controls
It Is normal to have a system of user identities and passwords to restrict access. Some firms go further:
- A swipe card reader at each terminal, which recognises the door pass only of people authorised to use that machine.
- Disabling an employee’s user account when that person is not supposed to be at work and forcing employees to log off during breaks.
- Preventing employees from accessing more that one terminal at a time.
- Password protected screensavers which activate if an employee forgets to log off or is temporarily away from their desk.
- Disabling accounts that have incorrect passwords entered on multiple attempts.
- Disabling accounts of former employees
- Biometric measures, such as fingerprint or iris recognition.
Passwords
Passwords should be:
- regularly changed. Many companies force employees to change passwords at set intervals and block network access to anyone ignoring this or trying to use an old password.
- Contain numbers as well as letters.
- Be held in an encoded file which can be decoded only by network software.
Access Rights determine the way in which users may access particular files or records.
Within a database, users may have the ability to view particular data (i.e. read access), modify it (edit access), create new files (write access) or, in the case of programs, run them (execute access).
Secure Communications
It is vital that communications are secure. For example companies may insist that all internet communication is encrypted which can prevent the actions of certain virus or Trojan horse programs. Without blocks on unauthorised programs, such programs could be used to send private data out of a company without the user realising whats happening.
Also the use of a firewall can prevent access by hackers. A firewall makes a network or pc appear invisible to the outside world. A firewall can also block unauthorised programs sending or receiving data.
Audit Trials and Monitoring Usage
It is good practice for transactions to be monitored at all stage of processing. This benefits both company and customer. If anyone changes a record, a record is kept of who made the change and what they did.
An audit trial is generated by a system for the benefit of accountants. It allows them to follow all stage of all transactions easily. Public companies have to be able to give account of all money and business in order to prevent fraud. All business documents, including e-mail, must be recorded for six years as part of this. Log files are generated each time a user logs on, accesses a record or changes a file. With the correct software, It is possible to monitor everything an employee does. While this is useful in accounting and certainly reduces wasted time, it may create fears of management ‘snooping’. Employees guilty of wrongdoing have little defence.
Anti-Virus Software
All PCs should have effective anti-virus software installed and regularly updated. All modern viruses spread rapidly, an out-of-date virus checker is of little more use than one that is not installed at all. Many viruses spread as infected files attached as e-mails that trick users into opening them. Many viruses are targeted as security vulnerabilities in some software, for example Microsoft Outlook and some versions of Microsoft Windows. For this reason, security updates to software must be installed if they are available.
Personnel Security
Firms must be careful about who they employ, both to ensure they do not have an interest in rival firms, and to ensure that they are not potential hackers.
5.6.5 What determines a good ICT security policy?
A good ICT security policy:
- Has realistic aims, in relation to the purpose of the organisation.
- Identifies areas of responsibility for users, administrators and management. Everybody should be able to do their part without worrying about other people doing theirs.
- Provides clear and complete guidance to those involved in security incidents, which prevents foolish decisions being made as a result of people panicking.
- Defines how incidents will be handled. In addition to guidance given to people involved at the time, there should be a clear set of steps relating to further investigation, software modification, informing other people in the organisation and even the media.
- Is flexible and can be updated according to changes in technology or the organisations ‘mission’. As a result of technology changes, a security policy that was excellent 10 years ago may be inadequate today. For example, e-mail borne viruses were unheard of ten years ago as were hackers taking advantage of internet chat facilities. Any organisations that adopts new technologies or ways of working must evaluate new risks.
- Is the responsibility of a senior member of the organisation because of the importance of security, though they may delegate certain roles.
One of the main factors in security breaches can be staff. A security policy should identify the roles and responsibilities of users and make provision for their education.
In this section, the policy should contain the following
- Procedures for obtaining network access and deciding what data users may and may not access. Users should have access only to programs that they need. In some firms users might not have ‘full’ access to data until they have earned trust, working under direct supervision for a time.
- A statement of what is and is not acceptable for personal use of computer systems. Usage of the internet may be monitored to prevent illegal or immoral material being accessed from company machines
- Procedures concerning passwords, including how often passwords are changed and procedures for dealing with those who are not responsible for passwords.
- Procedures for using removable storage devices since these can introduce viruses or can be used to remove secure data.
- An identification of acceptable standards in the use of e-mail. For some firms e-mail is informal and can therefore cause problems.
- Restrictions on installing applications and hardware because unauthorised installations may pose a risk to data o conflict with existing hardware.
- Procedures for remote access. If a user is granted remote access there will be tight controls, such as allowing only a company laptop to be used or installing approved security software on the employee’s own PC. Callback procedures should also be in place.
- Security Awareness Testing to make users aware of the ‘hows’ and ‘whys’ if security.
- Discipline procedures. Every user must be thoroughly briefed on conduct that is not acceptable and should be aware of the consequences of ignoring this. In some companies, employees who ignore the issues listed above are given ‘final warnings’ or even sacked for their first offence.
Backup and Recovery Plans
Even with the best security policy in the world, mistakes will be made. For example, an unknown gap in security can be exposed by a hacker or human error. While it is possible to only focus on ‘big’ threats, smaller problems such as a user deleting a vital file by mistake should not be neglected. Procedures for backing up data in a safe place, and for recovering it when necessary, are vital.
A backup and recover policy written in a self-contained section of a security policy, will ensure that all data can easily be recovered in the event of catastrophe.
A backup and recovery plan should:
- Ensure all files are backed up at specified, frequent, intervals;
- State how long backups are to be held
- State how and where files will be backed up.
- State how files will be restored, for example:
1. In the event of human error, by restoring only selected files
2. In the event of electronic attack, by identifying and restoring affected files;
3. In the event of catastrophe, by relocating personnel and restoring data to servers at the new premises.
5.6.6. The law and ICT
There are three main laws governing the use of ICT.
1. The Data Protection Act 1998
The data protection act governs the use of personal data. It defines the;
- Rights of data subjects (people whose data is stored);
- Responsibilities of data users (people who store and use the data)
Under the Data Protection Act organisations using personal data are required to register with the Information Commissioner and state who they are, what data will be held and what it will be used for. There are a number of exceptions including data held for personal, family or recreational purposes (such as an e-mail address book or a Christmas card list), processing wages, and data relating to nation security or crime prevention. ‘Personal data’ is any data from which a person can be identified and covers both facts and opinions about the individual.
Data users must adhere to eight principles of data protection to ensure that data is
- Fairly and lawfully obtained and processed
- Held only for specific purposes
- Not used in a way that is incompatible with the purpose it was obtained for
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept longer than necessary
- Processed in accordance to the data subject’s rights
- Kept secure
A data subject has the right to:
- Access data held about them (a small administration fee may be charged for this);
- Have errors corrected, and to seek compensation for damages arising from such errors;
- Compensation for the unauthorised disclosure of data.
2. The Copyright Designs and Patents Act 1998
Although it refers to a wide range of areas, in the contextof a computer user, this prohibits people copying software that they do not have permission to copy, as well as using software that other people have illegally copied. This means any business must ensure that the software they use is properly licensed. This law also has effects on the individual. For a PC owner it may mean that some software the are using, or some music they listen to, is being accessed illegally.
3. The Computer Misuse Act 1990
The Computer Misuse Act 1990 classes the following as offence, which may lead to fines and/or imprisonment.
- Accessing data without permission, whether that data is held securely or not.
- Accessing a program on any computer system without proper authorisation.
- Modifiying the data or programs on a computer system without permission.
- Restricting the ability of other people to access computer systems tot which they should have access.
- Using a computer system to facilitate any crime.
The above applies whether a person commits the offence themselves, enables others to commit them, or writes a program (e.g. a virus) that will have the same effects, and regardless of whether any changes made or permanent or temporary.
5.6 Security and Legal Issues within a management information system
5.6 Security and Legal Issues within a management information system
By the end of this section you should be able to describe:
- The threats to a company’s information systems
- The need for a security policy and what It contains
- The measures in place to avoid or minimise the impact of disasters
- The laws that relate to ICT and their implications on companies and society.
5.6.2 Threats to an organisation
There are several types of threats to an organisations data, including the following:
- Events completely out of an organisation’s control, such as natural disaster, fire, war or terrorism
- Events which happen, but the frequency of their occurrence can be controlled, such as operator error, faulty software or hardware failure
- Threat’s from the internet, such as hackers, viruses and ‘Trojan’ horses.
- Insecure communication channels e.g. intercepted phone calls, e-mails or letters (from within a company’s own post room) or employees removing secure data.
- Unauthorised access to premises including break-ins or imposters e.g. thieves posing as workmen and stealing property or data.
- Ex-employees who access company systems from the outside world to cause damage.
The impact of these threats can be minimised if managed properly. That’s why businesses should consider a proper security policy.
5.6.3 Security Policies
A security policy is a set of documents outlining a company’s assessment of threats and proposed ways of dealing with them.
It is normally the final responsibility of a director of the firm to ensure this policy is implemented. A security policy is the most critical element of an ICT security programme as it defines how all other aspects of security will operate.
A good security policy should do the following:
- Assess Risks
This includes noting who has access to different types of data and the consequence of losing access to it, as well as the consequences of software failure and theft, either by physical or electronic means.
- Implement ‘layers’ of security
Many obstacles should be placed in the way of any person with malicious intent. These include physical security, access controls, secure communications, audit trials and usage monitoring, anti-virus software and personnel security.
- Educate Users
Many security problems result from human error and can be avoided by encouraging employees to act responsibly.
Layers of Security
Physical Security
Unwanted visitors can be prevented or deterred by methods such as:
- bars on windows, especially at ground level.
- armed guards
- electrified fences
- walls topped with barbed wire
- Visible security cameras
Access Controls
It Is normal to have a system of user identities and passwords to restrict access. Some firms go further:
- A swipe card reader at each terminal, which recognises the door pass only of people authorised to use that machine.
- Disabling an employee’s user account when that person is not supposed to be at work and forcing employees to log off during breaks.
- Preventing employees from accessing more that one terminal at a time.
- Password protected screensavers which activate if an employee forgets to log off or is temporarily away from their desk.
- Disabling accounts that have incorrect passwords entered on multiple attempts.
- Disabling accounts of former employees
- Biometric measures, such as fingerprint or iris recognition.
Passwords
Passwords should be:
- regularly changed. Many companies force employees to change passwords at set intervals and block network access to anyone ignoring this or trying to use an old password.
- Contain numbers as well as letters.
- Be held in an encoded file which can be decoded only by network software.
Access Rights determine the way in which users may access particular files or records.
Within a database, users may have the ability to view particular data (i.e. read access), modify it (edit access), create new files (write access) or, in the case of programs, run them (execute access).
Secure Communications
It is vital that communications are secure. For example companies may insist that all internet communication is encrypted which can prevent the actions of certain virus or Trojan horse programs. Without blocks on unauthorised programs, such programs could be used to send private data out of a company without the user realising whats happening.
Also the use of a firewall can prevent access by hackers. A firewall makes a network or pc appear invisible to the outside world. A firewall can also block unauthorised programs sending or receiving data.
Audit Trials and Monitoring Usage
It is good practice for transactions to be monitored at all stage of processing. This benefits both company and customer. If anyone changes a record, a record is kept of who made the change and what they did.
An audit trial is generated by a system for the benefit of accountants. It allows them to follow all stage of all transactions easily. Public companies have to be able to give account of all money and business in order to prevent fraud. All business documents, including e-mail, must be recorded for six years as part of this. Log files are generated each time a user logs on, accesses a record or changes a file. With the correct software, It is possible to monitor everything an employee does. While this is useful in accounting and certainly reduces wasted time, it may create fears of management ‘snooping’. Employees guilty of wrongdoing have little defence.
Anti-Virus Software
All PCs should have effective anti-virus software installed and regularly updated. All modern viruses spread rapidly, an out-of-date virus checker is of little more use than one that is not installed at all. Many viruses spread as infected files attached as e-mails that trick users into opening them. Many viruses are targeted as security vulnerabilities in some software, for example Microsoft Outlook and some versions of Microsoft Windows. For this reason, security updates to software must be installed if they are available.
Personnel Security
Firms must be careful about who they employ, both to ensure they do not have an interest in rival firms, and to ensure that they are not potential hackers.
5.6.5 What determines a good ICT security policy?
A good ICT security policy:
- Has realistic aims, in relation to the purpose of the organisation.
- Identifies areas of responsibility for users, administrators and management. Everybody should be able to do their part without worrying about other people doing theirs.
- Provides clear and complete guidance to those involved in security incidents, which prevents foolish decisions being made as a result of people panicking.
- Defines how incidents will be handled. In addition to guidance given to people involved at the time, there should be a clear set of steps relating to further investigation, software modification, informing other people in the organisation and even the media.
- Is flexible and can be updated according to changes in technology or the organisations ‘mission’. As a result of technology changes, a security policy that was excellent 10 years ago may be inadequate today. For example, e-mail borne viruses were unheard of ten years ago as were hackers taking advantage of internet chat facilities. Any organisations that adopts new technologies or ways of working must evaluate new risks.
- Is the responsibility of a senior member of the organisation because of the importance of security, though they may delegate certain roles.
One of the main factors in security breaches can be staff. A security policy should identify the roles and responsibilities of users and make provision for their education.
In this section, the policy should contain the following
- Procedures for obtaining network access and deciding what data users may and may not access. Users should have access only to programs that they need. In some firms users might not have ‘full’ access to data until they have earned trust, working under direct supervision for a time.
- A statement of what is and is not acceptable for personal use of computer systems. Usage of the internet may be monitored to prevent illegal or immoral material being accessed from company machines
- Procedures concerning passwords, including how often passwords are changed and procedures for dealing with those who are not responsible for passwords.
- Procedures for using removable storage devices since these can introduce viruses or can be used to remove secure data.
- An identification of acceptable standards in the use of e-mail. For some firms e-mail is informal and can therefore cause problems.
- Restrictions on installing applications and hardware because unauthorised installations may pose a risk to data o conflict with existing hardware.
- Procedures for remote access. If a user is granted remote access there will be tight controls, such as allowing only a company laptop to be used or installing approved security software on the employee’s own PC. Callback procedures should also be in place.
- Security Awareness Testing to make users aware of the ‘hows’ and ‘whys’ if security.
- Discipline procedures. Every user must be thoroughly briefed on conduct that is not acceptable and should be aware of the consequences of ignoring this. In some companies, employees who ignore the issues listed above are given ‘final warnings’ or even sacked for their first offence.
Backup and Recovery Plans
Even with the best security policy in the world, mistakes will be made. For example, an unknown gap in security can be exposed by a hacker or human error. While it is possible to only focus on ‘big’ threats, smaller problems such as a user deleting a vital file by mistake should not be neglected. Procedures for backing up data in a safe place, and for recovering it when necessary, are vital.
A backup and recover policy written in a self-contained section of a security policy, will ensure that all data can easily be recovered in the event of catastrophe.
A backup and recovery plan should:
- Ensure all files are backed up at specified, frequent, intervals;
- State how long backups are to be held
- State how and where files will be backed up.
- State how files will be restored, for example:
1. In the event of human error, by restoring only selected files
2. In the event of electronic attack, by identifying and restoring affected files;
3. In the event of catastrophe, by relocating personnel and restoring data to servers at the new premises.
5.6.6. The law and ICT
There are three main laws governing the use of ICT.
1. The Data Protection Act 1998
The data protection act governs the use of personal data. It defines the;
- Rights of data subjects (people whose data is stored);
- Responsibilities of data users (people who store and use the data)
Under the Data Protection Act organisations using personal data are required to register with the Information Commissioner and state who they are, what data will be held and what it will be used for. There are a number of exceptions including data held for personal, family or recreational purposes (such as an e-mail address book or a Christmas card list), processing wages, and data relating to nation security or crime prevention. ‘Personal data’ is any data from which a person can be identified and covers both facts and opinions about the individual.
Data users must adhere to eight principles of data protection to ensure that data is
- Fairly and lawfully obtained and processed
- Held only for specific purposes
- Not used in a way that is incompatible with the purpose it was obtained for
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept longer than necessary
- Processed in accordance to the data subject’s rights
- Kept secure
A data subject has the right to:
- Access data held about them (a small administration fee may be charged for this);
- Have errors corrected, and to seek compensation for damages arising from such errors;
- Compensation for the unauthorised disclosure of data.
2. The Copyright Designs and Patents Act 1998
Although it refers to a wide range of areas, in the contextof a computer user, this prohibits people copying software that they do not have permission to copy, as well as using software that other people have illegally copied. This means any business must ensure that the software they use is properly licensed. This law also has effects on the individual. For a PC owner it may mean that some software the are using, or some music they listen to, is being accessed illegally.
3. The Computer Misuse Act 1990
The Computer Misuse Act 1990 classes the following as offence, which may lead to fines and/or imprisonment.
- Accessing data without permission, whether that data is held securely or not.
- Accessing a program on any computer system without proper authorisation.
- Modifiying the data or programs on a computer system without permission.
- Restricting the ability of other people to access computer systems tot which they should have access.
- Using a computer system to facilitate any crime.
The above applies whether a person commits the offence themselves, enables others to commit them, or writes a program (e.g. a virus) that will have the same effects, and regardless of whether any changes made or permanent or temporary.
By the end of this section you should be able to describe:
- The threats to a company’s information systems
- The need for a security policy and what It contains
- The measures in place to avoid or minimise the impact of disasters
- The laws that relate to ICT and their implications on companies and society.
5.6.2 Threats to an organisation
There are several types of threats to an organisations data, including the following:
- Events completely out of an organisation’s control, such as natural disaster, fire, war or terrorism
- Events which happen, but the frequency of their occurrence can be controlled, such as operator error, faulty software or hardware failure
- Threat’s from the internet, such as hackers, viruses and ‘Trojan’ horses.
- Insecure communication channels e.g. intercepted phone calls, e-mails or letters (from within a company’s own post room) or employees removing secure data.
- Unauthorised access to premises including break-ins or imposters e.g. thieves posing as workmen and stealing property or data.
- Ex-employees who access company systems from the outside world to cause damage.
The impact of these threats can be minimised if managed properly. That’s why businesses should consider a proper security policy.
5.6.3 Security Policies
A security policy is a set of documents outlining a company’s assessment of threats and proposed ways of dealing with them.
It is normally the final responsibility of a director of the firm to ensure this policy is implemented. A security policy is the most critical element of an ICT security programme as it defines how all other aspects of security will operate.
A good security policy should do the following:
- Assess Risks
This includes noting who has access to different types of data and the consequence of losing access to it, as well as the consequences of software failure and theft, either by physical or electronic means.
- Implement ‘layers’ of security
Many obstacles should be placed in the way of any person with malicious intent. These include physical security, access controls, secure communications, audit trials and usage monitoring, anti-virus software and personnel security.
- Educate Users
Many security problems result from human error and can be avoided by encouraging employees to act responsibly.
Layers of Security
Physical Security
Unwanted visitors can be prevented or deterred by methods such as:
- bars on windows, especially at ground level.
- armed guards
- electrified fences
- walls topped with barbed wire
- Visible security cameras
Access Controls
It Is normal to have a system of user identities and passwords to restrict access. Some firms go further:
- A swipe card reader at each terminal, which recognises the door pass only of people authorised to use that machine.
- Disabling an employee’s user account when that person is not supposed to be at work and forcing employees to log off during breaks.
- Preventing employees from accessing more that one terminal at a time.
- Password protected screensavers which activate if an employee forgets to log off or is temporarily away from their desk.
- Disabling accounts that have incorrect passwords entered on multiple attempts.
- Disabling accounts of former employees
- Biometric measures, such as fingerprint or iris recognition.
Passwords
Passwords should be:
- regularly changed. Many companies force employees to change passwords at set intervals and block network access to anyone ignoring this or trying to use an old password.
- Contain numbers as well as letters.
- Be held in an encoded file which can be decoded only by network software.
Access Rights determine the way in which users may access particular files or records.
Within a database, users may have the ability to view particular data (i.e. read access), modify it (edit access), create new files (write access) or, in the case of programs, run them (execute access).
Secure Communications
It is vital that communications are secure. For example companies may insist that all internet communication is encrypted which can prevent the actions of certain virus or Trojan horse programs. Without blocks on unauthorised programs, such programs could be used to send private data out of a company without the user realising whats happening.
Also the use of a firewall can prevent access by hackers. A firewall makes a network or pc appear invisible to the outside world. A firewall can also block unauthorised programs sending or receiving data.
Audit Trials and Monitoring Usage
It is good practice for transactions to be monitored at all stage of processing. This benefits both company and customer. If anyone changes a record, a record is kept of who made the change and what they did.
An audit trial is generated by a system for the benefit of accountants. It allows them to follow all stage of all transactions easily. Public companies have to be able to give account of all money and business in order to prevent fraud. All business documents, including e-mail, must be recorded for six years as part of this. Log files are generated each time a user logs on, accesses a record or changes a file. With the correct software, It is possible to monitor everything an employee does. While this is useful in accounting and certainly reduces wasted time, it may create fears of management ‘snooping’. Employees guilty of wrongdoing have little defence.
Anti-Virus Software
All PCs should have effective anti-virus software installed and regularly updated. All modern viruses spread rapidly, an out-of-date virus checker is of little more use than one that is not installed at all. Many viruses spread as infected files attached as e-mails that trick users into opening them. Many viruses are targeted as security vulnerabilities in some software, for example Microsoft Outlook and some versions of Microsoft Windows. For this reason, security updates to software must be installed if they are available.
Personnel Security
Firms must be careful about who they employ, both to ensure they do not have an interest in rival firms, and to ensure that they are not potential hackers.
5.6.5 What determines a good ICT security policy?
A good ICT security policy:
- Has realistic aims, in relation to the purpose of the organisation.
- Identifies areas of responsibility for users, administrators and management. Everybody should be able to do their part without worrying about other people doing theirs.
- Provides clear and complete guidance to those involved in security incidents, which prevents foolish decisions being made as a result of people panicking.
- Defines how incidents will be handled. In addition to guidance given to people involved at the time, there should be a clear set of steps relating to further investigation, software modification, informing other people in the organisation and even the media.
- Is flexible and can be updated according to changes in technology or the organisations ‘mission’. As a result of technology changes, a security policy that was excellent 10 years ago may be inadequate today. For example, e-mail borne viruses were unheard of ten years ago as were hackers taking advantage of internet chat facilities. Any organisations that adopts new technologies or ways of working must evaluate new risks.
- Is the responsibility of a senior member of the organisation because of the importance of security, though they may delegate certain roles.
One of the main factors in security breaches can be staff. A security policy should identify the roles and responsibilities of users and make provision for their education.
In this section, the policy should contain the following
- Procedures for obtaining network access and deciding what data users may and may not access. Users should have access only to programs that they need. In some firms users might not have ‘full’ access to data until they have earned trust, working under direct supervision for a time.
- A statement of what is and is not acceptable for personal use of computer systems. Usage of the internet may be monitored to prevent illegal or immoral material being accessed from company machines
- Procedures concerning passwords, including how often passwords are changed and procedures for dealing with those who are not responsible for passwords.
- Procedures for using removable storage devices since these can introduce viruses or can be used to remove secure data.
- An identification of acceptable standards in the use of e-mail. For some firms e-mail is informal and can therefore cause problems.
- Restrictions on installing applications and hardware because unauthorised installations may pose a risk to data o conflict with existing hardware.
- Procedures for remote access. If a user is granted remote access there will be tight controls, such as allowing only a company laptop to be used or installing approved security software on the employee’s own PC. Callback procedures should also be in place.
- Security Awareness Testing to make users aware of the ‘hows’ and ‘whys’ if security.
- Discipline procedures. Every user must be thoroughly briefed on conduct that is not acceptable and should be aware of the consequences of ignoring this. In some companies, employees who ignore the issues listed above are given ‘final warnings’ or even sacked for their first offence.
Backup and Recovery Plans
Even with the best security policy in the world, mistakes will be made. For example, an unknown gap in security can be exposed by a hacker or human error. While it is possible to only focus on ‘big’ threats, smaller problems such as a user deleting a vital file by mistake should not be neglected. Procedures for backing up data in a safe place, and for recovering it when necessary, are vital.
A backup and recover policy written in a self-contained section of a security policy, will ensure that all data can easily be recovered in the event of catastrophe.
A backup and recovery plan should:
- Ensure all files are backed up at specified, frequent, intervals;
- State how long backups are to be held
- State how and where files will be backed up.
- State how files will be restored, for example:
1. In the event of human error, by restoring only selected files
2. In the event of electronic attack, by identifying and restoring affected files;
3. In the event of catastrophe, by relocating personnel and restoring data to servers at the new premises.
5.6.6. The law and ICT
There are three main laws governing the use of ICT.
1. The Data Protection Act 1998
The data protection act governs the use of personal data. It defines the;
- Rights of data subjects (people whose data is stored);
- Responsibilities of data users (people who store and use the data)
Under the Data Protection Act organisations using personal data are required to register with the Information Commissioner and state who they are, what data will be held and what it will be used for. There are a number of exceptions including data held for personal, family or recreational purposes (such as an e-mail address book or a Christmas card list), processing wages, and data relating to nation security or crime prevention. ‘Personal data’ is any data from which a person can be identified and covers both facts and opinions about the individual.
Data users must adhere to eight principles of data protection to ensure that data is
- Fairly and lawfully obtained and processed
- Held only for specific purposes
- Not used in a way that is incompatible with the purpose it was obtained for
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept longer than necessary
- Processed in accordance to the data subject’s rights
- Kept secure
A data subject has the right to:
- Access data held about them (a small administration fee may be charged for this);
- Have errors corrected, and to seek compensation for damages arising from such errors;
- Compensation for the unauthorised disclosure of data.
2. The Copyright Designs and Patents Act 1998
Although it refers to a wide range of areas, in the contextof a computer user, this prohibits people copying software that they do not have permission to copy, as well as using software that other people have illegally copied. This means any business must ensure that the software they use is properly licensed. This law also has effects on the individual. For a PC owner it may mean that some software the are using, or some music they listen to, is being accessed illegally.
3. The Computer Misuse Act 1990
The Computer Misuse Act 1990 classes the following as offence, which may lead to fines and/or imprisonment.
- Accessing data without permission, whether that data is held securely or not.
- Accessing a program on any computer system without proper authorisation.
- Modifiying the data or programs on a computer system without permission.
- Restricting the ability of other people to access computer systems tot which they should have access.
- Using a computer system to facilitate any crime.
The above applies whether a person commits the offence themselves, enables others to commit them, or writes a program (e.g. a virus) that will have the same effects, and regardless of whether any changes made or permanent or temporary.
5.5 Developments and Change within Management Information Systems
5.5 Developments and Change within Management Information Systems
Introduction
Once a management information system is installed it enters the maintenance phase of the system lifecycle and will change with time.
In addition to perfective and corrective maintenance, a lot of time may be spend in adaptive maintenance to cope with changing requirements.
Businesses rarely remain static because they are part of their evolving environment and must change with it. These changes may be as simple as developing new products or changing the company’s entire focus.
Such changes are often influenced by the MIS and guided by decision support systems and expert systems.
A new MIS is not guaranteed to succeed. It can fail for a variety of reasons, such as weaknesses in the system itself or because of the humans involved in it.
By the end of the section you should be able to describe:
- Why an information system might fail;
- The changes to a company when a new information system is introduced;
- The main features, uses and benefits of decision support systems;
- The main features, uses and benefits of expert systems.
5.5.2 Introducing a new Information System
A new system often does not run smoothly due to either technical or personnel glitches.
When introducing a new information system the following points should be addressed in order to ease the experience for employees. Their precise order depends on the method of implementation adopted and other circumstances unique to the company. But how they are handled will directly affect the attitude employees have to the new system.
Data Conversion: If data is not properly imported, or if users have to go through many ‘hoops’ to access data from the old system because of inefficient design, they may become frustrated.
New Work Practices: The way that people do their jobs will change in some way. Some people may be glad to be rid of mundane tasks while others may want to hold onto them because they are uncomfortable with them. Employees may view a new system as either the solution to their problems, or as a needless replacement for system that worked.
Allowing the users to continue to access old software: For example, a company moving from an office package to another may decide to give users six months to migrate at their own pace from one to the other while training is organised. However, some users may decide they prefer the old package and may stubbornly hold onto it. Other companies may do the opposite and force users to change systems overnight. If the new system is not satisfactory some staff may stop working and complain that they cannot use the system because it does not work.
Training: Busy employees may resent training, seeing it as a waste of time that disrupts thr work they have to do. There are those who would rather use a system inefficiently than attend training because of the feeling of ‘doing something’, as opposed to the feeling of wasting time. This negative attitude exists because some training seminars are actually of questionable value because they are poorly presented or take longer than necessary. Training must be presented to employees as something that will benefit both them and the company.
It thus can be seen that the attitude of employees contributes to a system’s failure or success. However, if employees are treated in a sensible and respectable manner, many potential problems can be avoided.
A system’s success is also determined by the external and internal factors considered in the previous section. At all times a system must remain relevant to the company’s mission, environment and people . If it fails to adapt, a system that is acceptable may soon be rendered useless. Systems may fail even before they are implemented. Poor analysis can lead to many errors, an unworkable design, obsolete features, or even the project’s cancellation. A system that does not do what it is expected or required to do may have lasting effects on a business.
Delivering a successful system is therefore much more than good design and programming.
5.5.3 Decision Support Systems (DSS)
A decision support system is a set of integrated tools designed to help in problem solving, such as scheduling work activities, allocating resources and forecasting future trends. A DSS can operate as a stand-alone tool, though it is more often integrated with existing transaction processing systems and/or MIS. DSS are basically problem solving tools that analyse data gathered by other systems and combine this data with decision making models to produce information to help the user solve problems.
A DSS has a number of distinct features that make it much more than a ‘powerful MIS’,
- It brings together data and mathematical models to support human judgement.
- It supports several interdependent decisions, by modelling the impact that differing problems have on each other.
- It supports a wide variety of decision making processes and styles.
- It assists decision making within dynamic business conditions.
- It supports AD HOC queries.
A DSS can assist with several different types of problem including:
- Independent Problems: Problems that are completely separate from each other. In this case, the goal is to find the best solution to a single problem.
- Interrelated Problems: Problems that affect each other. The goal is to find the best overall set of solutions, not just the solution to independent problems.
- Organisational Problems: These are problems that span a number of departments within an organisation and may affect the organisation as a whole.
A DSS has three main components:
- The DBMS stores internal and external data that are analysed by the DSS. The MIS accesses the same DBMS.
- Model Management System – takes input data, perform some sort of computation upon it and deliver output that is often in the form of a forecast. There are many different kinds of model. Statistical models are used to analyse statistics, such as production rates or sales figures. Financial and accounting models assess the financial implications of different courses of action including ‘optimistic’, ‘pessimistic’ and ‘realistic’ scenarios of what may happen.For example, in a optimistic scenario, sales may be 30% above the expected rate and in a pessimistic scenario, sales may be 60% less than expected. Production models perform functions such as calculating the number and type of machines needed, amount of raw materials required and their rates of consumption. Marketing models are used to aid decisions such as locating new stores, pricing products and forecasting sales. Finally, human resource models help managers to make decisions that involve personnel, including planning numbers of workers needed, assessing training needs, maintaining a skills inventory and assessing implementation of government rules and regulations.
- Support Tools allows a user to interact with the system. They include pull down menus, online help, user interfaces and tools for graphical analysis.
Although we have seen how a DSS is composed and the types of problem it can deal with, the underlying function of a DSS is fivefold.
- Model building, i.e. identifying appropriate models for solving a given problem. This involves analysing input variables, relationships between the variables, assumptions made about the problem and constraints on the problem.
- ‘What if’ Analysis is used to assess what a changing variable will have on operations, for example ‘what if interest rates rise?’, ‘what effect will rising oil prices have on manufacturing costs’, or ‘how much will demand increase if we reduce prices’.
- Goal seeking works in the opposite way. A desired goal is entered and analysed, allowing decision makers to determine the input values needed to achieve this. For example, a company may want to increase profits by 10% but seek to do this without forced redundancies or hefty price rises.
- Risk analysis assesses the uncertainties of different courses of action. Probability statistics are used to evaluate these risks.
- Graphical Analysis allows data and information to be viewed as graphs and charts.
5.5.4 Expert Systems
An expert system is an application that performs some task that a human expert would otherwise perform and does so at, or near, the skill level of the human expert. Such as system is given the knowledge a human ‘expert’ would have in a specialist field and, based on that knowledge, it makes recommendations. While a DSS makes recommendations that humans are expected to discuss, evaluate, and query further, an expert system is expected to give the correct answer without the need for discussion. This means that it is suitable only for certain applications where rules can be clearly defined.
Some human experts may use an expert system to give them a ‘second opinion’. For example, a doctor may use such a system to analyse x-ray images. Alternatively, a human who is not an expert may use such a system to help them make decisions. For example, an expert system could carry out fault diagnosis in a machine before repair details are passed to the human expert. This approach is efficient because the human expert does not have to waste time making a diagnosis when the computer can perform this task. Expert systems have been developed in many fields, including medicine and law.
Many expert systems are really a branch of artificial intelligence (AI) and like many AI systems seek to model some aspect of human reasoning. An expert system must be capable of taking the same inputs as a human expert and being correct in its outputs at least as often as the human. And, like any human expert, it needs the ability to learn from experience.
Alan Turning, considered by many to be the father of artificial intelligence, proposed what is now called the turing test. This states that a computer can be considered intelligent if, following a conversation with a human via a remote terminal, the human cannot tell if they were talking with a computer or a human.
Although no system has comprehensively passed the turing test, some are considered to be as effective as humans in limited areas, such as specialist legal or game playing systems, because they consistently give the same output as a human would.
An expert system has the following features:
- It is limited to a certain area of knowledge (domain)
- It is based around rules, facts and principles.
- It can deal with ‘fuzzy logic’ (instead of plain yes/no, it can process a third value – ‘don’t know’ or ‘maybe’).
- The system’s reasoning can be explained to the user.
- It is capable of learning from experience.
An expert system has three main components.
- A knowledge base which is a store of facts, rules and principles from a given field. Knowledge representation is the process of translating knowledge into a form that can be programmed into the expert system.
- The interface engine solves a problem by applying the rules and knowledge already in the system to the facts that are entered concerning the problem.
- The user interface which includes menus, graphics and facilities for explaining the system’s reasoning.
Introduction
Once a management information system is installed it enters the maintenance phase of the system lifecycle and will change with time.
In addition to perfective and corrective maintenance, a lot of time may be spend in adaptive maintenance to cope with changing requirements.
Businesses rarely remain static because they are part of their evolving environment and must change with it. These changes may be as simple as developing new products or changing the company’s entire focus.
Such changes are often influenced by the MIS and guided by decision support systems and expert systems.
A new MIS is not guaranteed to succeed. It can fail for a variety of reasons, such as weaknesses in the system itself or because of the humans involved in it.
By the end of the section you should be able to describe:
- Why an information system might fail;
- The changes to a company when a new information system is introduced;
- The main features, uses and benefits of decision support systems;
- The main features, uses and benefits of expert systems.
5.5.2 Introducing a new Information System
A new system often does not run smoothly due to either technical or personnel glitches.
When introducing a new information system the following points should be addressed in order to ease the experience for employees. Their precise order depends on the method of implementation adopted and other circumstances unique to the company. But how they are handled will directly affect the attitude employees have to the new system.
Data Conversion: If data is not properly imported, or if users have to go through many ‘hoops’ to access data from the old system because of inefficient design, they may become frustrated.
New Work Practices: The way that people do their jobs will change in some way. Some people may be glad to be rid of mundane tasks while others may want to hold onto them because they are uncomfortable with them. Employees may view a new system as either the solution to their problems, or as a needless replacement for system that worked.
Allowing the users to continue to access old software: For example, a company moving from an office package to another may decide to give users six months to migrate at their own pace from one to the other while training is organised. However, some users may decide they prefer the old package and may stubbornly hold onto it. Other companies may do the opposite and force users to change systems overnight. If the new system is not satisfactory some staff may stop working and complain that they cannot use the system because it does not work.
Training: Busy employees may resent training, seeing it as a waste of time that disrupts thr work they have to do. There are those who would rather use a system inefficiently than attend training because of the feeling of ‘doing something’, as opposed to the feeling of wasting time. This negative attitude exists because some training seminars are actually of questionable value because they are poorly presented or take longer than necessary. Training must be presented to employees as something that will benefit both them and the company.
It thus can be seen that the attitude of employees contributes to a system’s failure or success. However, if employees are treated in a sensible and respectable manner, many potential problems can be avoided.
A system’s success is also determined by the external and internal factors considered in the previous section. At all times a system must remain relevant to the company’s mission, environment and people . If it fails to adapt, a system that is acceptable may soon be rendered useless. Systems may fail even before they are implemented. Poor analysis can lead to many errors, an unworkable design, obsolete features, or even the project’s cancellation. A system that does not do what it is expected or required to do may have lasting effects on a business.
Delivering a successful system is therefore much more than good design and programming.
5.5.3 Decision Support Systems (DSS)
A decision support system is a set of integrated tools designed to help in problem solving, such as scheduling work activities, allocating resources and forecasting future trends. A DSS can operate as a stand-alone tool, though it is more often integrated with existing transaction processing systems and/or MIS. DSS are basically problem solving tools that analyse data gathered by other systems and combine this data with decision making models to produce information to help the user solve problems.
A DSS has a number of distinct features that make it much more than a ‘powerful MIS’,
- It brings together data and mathematical models to support human judgement.
- It supports several interdependent decisions, by modelling the impact that differing problems have on each other.
- It supports a wide variety of decision making processes and styles.
- It assists decision making within dynamic business conditions.
- It supports AD HOC queries.
A DSS can assist with several different types of problem including:
- Independent Problems: Problems that are completely separate from each other. In this case, the goal is to find the best solution to a single problem.
- Interrelated Problems: Problems that affect each other. The goal is to find the best overall set of solutions, not just the solution to independent problems.
- Organisational Problems: These are problems that span a number of departments within an organisation and may affect the organisation as a whole.
A DSS has three main components:
- The DBMS stores internal and external data that are analysed by the DSS. The MIS accesses the same DBMS.
- Model Management System – takes input data, perform some sort of computation upon it and deliver output that is often in the form of a forecast. There are many different kinds of model. Statistical models are used to analyse statistics, such as production rates or sales figures. Financial and accounting models assess the financial implications of different courses of action including ‘optimistic’, ‘pessimistic’ and ‘realistic’ scenarios of what may happen.For example, in a optimistic scenario, sales may be 30% above the expected rate and in a pessimistic scenario, sales may be 60% less than expected. Production models perform functions such as calculating the number and type of machines needed, amount of raw materials required and their rates of consumption. Marketing models are used to aid decisions such as locating new stores, pricing products and forecasting sales. Finally, human resource models help managers to make decisions that involve personnel, including planning numbers of workers needed, assessing training needs, maintaining a skills inventory and assessing implementation of government rules and regulations.
- Support Tools allows a user to interact with the system. They include pull down menus, online help, user interfaces and tools for graphical analysis.
Although we have seen how a DSS is composed and the types of problem it can deal with, the underlying function of a DSS is fivefold.
- Model building, i.e. identifying appropriate models for solving a given problem. This involves analysing input variables, relationships between the variables, assumptions made about the problem and constraints on the problem.
- ‘What if’ Analysis is used to assess what a changing variable will have on operations, for example ‘what if interest rates rise?’, ‘what effect will rising oil prices have on manufacturing costs’, or ‘how much will demand increase if we reduce prices’.
- Goal seeking works in the opposite way. A desired goal is entered and analysed, allowing decision makers to determine the input values needed to achieve this. For example, a company may want to increase profits by 10% but seek to do this without forced redundancies or hefty price rises.
- Risk analysis assesses the uncertainties of different courses of action. Probability statistics are used to evaluate these risks.
- Graphical Analysis allows data and information to be viewed as graphs and charts.
5.5.4 Expert Systems
An expert system is an application that performs some task that a human expert would otherwise perform and does so at, or near, the skill level of the human expert. Such as system is given the knowledge a human ‘expert’ would have in a specialist field and, based on that knowledge, it makes recommendations. While a DSS makes recommendations that humans are expected to discuss, evaluate, and query further, an expert system is expected to give the correct answer without the need for discussion. This means that it is suitable only for certain applications where rules can be clearly defined.
Some human experts may use an expert system to give them a ‘second opinion’. For example, a doctor may use such a system to analyse x-ray images. Alternatively, a human who is not an expert may use such a system to help them make decisions. For example, an expert system could carry out fault diagnosis in a machine before repair details are passed to the human expert. This approach is efficient because the human expert does not have to waste time making a diagnosis when the computer can perform this task. Expert systems have been developed in many fields, including medicine and law.
Many expert systems are really a branch of artificial intelligence (AI) and like many AI systems seek to model some aspect of human reasoning. An expert system must be capable of taking the same inputs as a human expert and being correct in its outputs at least as often as the human. And, like any human expert, it needs the ability to learn from experience.
Alan Turning, considered by many to be the father of artificial intelligence, proposed what is now called the turing test. This states that a computer can be considered intelligent if, following a conversation with a human via a remote terminal, the human cannot tell if they were talking with a computer or a human.
Although no system has comprehensively passed the turing test, some are considered to be as effective as humans in limited areas, such as specialist legal or game playing systems, because they consistently give the same output as a human would.
An expert system has the following features:
- It is limited to a certain area of knowledge (domain)
- It is based around rules, facts and principles.
- It can deal with ‘fuzzy logic’ (instead of plain yes/no, it can process a third value – ‘don’t know’ or ‘maybe’).
- The system’s reasoning can be explained to the user.
- It is capable of learning from experience.
An expert system has three main components.
- A knowledge base which is a store of facts, rules and principles from a given field. Knowledge representation is the process of translating knowledge into a form that can be programmed into the expert system.
- The interface engine solves a problem by applying the rules and knowledge already in the system to the facts that are entered concerning the problem.
- The user interface which includes menus, graphics and facilities for explaining the system’s reasoning.
5.4 Strategies used within Management Information Systems
5.4 Strategies used within Management Information Systems
An organisation does not implement an MIS and leave it running to chance. The MIS is part of overall business strategy and is maintained as such. The overall way a business operates influences how the MIS is used and, ultimately, its success or failure.
In this section we consider the internal and external factors that influence a business and consequently the factors that influence the MIS
5.4.2 External Factors that influence a business
No business exists in a static environment. It is continually influenced by a number of internal and external factors. These factors change in the size and scale of influence over time. Some can be ignored without having a significant effect on the business, while others can cripple the business if ignored.
External factors can arise suddenly, such as a supplier failing to deliver goods. This may be due to a failure on the supplier’s part, or on the part of the couriers. The latter can be seen in instances such as the postal strike in 2003, which affected even UK businesses that were situated far away from striking sorting offices. A failure of supply can affect an organisation’s production or sales.
External factors may also arise over time, and these can be more readily planned for. Examples include the growth of ICT within a business or changes in legislation that are publicised well in advance of becoming law. Nevertheless, an organisation should have a written plan that anticipates as many unexpected problems as possible, together with what to do if they arise. If problems are thought through in advance, there is less chance of panic when something does go wrong. This gives an advantage to established firms who often know their market and can anticipate problems that are likely to occur better than a new company. In either case, business can be affected when a company is caught unprepared when problems strike.
Some examples of external factors are:
- Communication Links
A generation ago, any business that wanted to be taken seriously on a ‘big scale’ had to be located in a major city. This was to facilitate meeting customers and suppliers alike (who were in the same major city). Because of the growth of ICT, much of this face-to-face communication can be replaced with video conferencing, e-mail or phone calls. A positive effect of this is that companies can be located outside cities, where overheads such as rent and rates are often much less. This does, however, mean an increased reliance on communication links which must be of a high standard and highly reliable. Because it is inefficient for many firms to employ their own telecommunications staff may hire telecoms specialists tot maintain communication links who invest heavily in preventing problems, installing backups and providing alternative services when required.
- Suppliers of goods
Firms often depend on other firms to provide goods for sale or as components in manufacturing. Suppliers may fail for a variety of reasons and so firms must have written action plans to either avoid being affected, or to know how to react, when problems occur. This may include sourcing the same item from different places or purposely keeping a large supply in case of supply failure
- Suppliers of computer systems
Just as suppliers of goods may fail, so suppliers of hardware and software may fail. Companies must have their response to such a situation planned before it happens. For example if a company developing software goes out of business with a system partially implemented, the client does not want to find out at the last minute that their business will be crippled. Rather management should be in a position to act calmly according to a pre-defined plan, such as keeping the old system or re-advertising the development contract.
- Faulty software
It is virtually impossible to guarantee that a software system has no ‘bugs’. Companies must take adequate measures to ensure that operations and data are not compromised even if errors manifest themselves. This includes making multiple backups of data and using redundant systems that duplicate everything the main system does.
- Changes in legislation
Changes in legislation are often announced well in advance so that companies have time to plan. A new system may even have potential new legislation included in its design. For example, if a company commissioned a new finance system in 2004 for use in the UK, it may well have had Euro capability included, because of the possibility that the UK would adopt the euro. This is easier to put into the system at the design stage than as adaptive maintenance.
- Changes in work practice
Companies may change their work practices are many reasons. These changes can be small, or in the case of being taken over by another huge firm. Such changes affects ICT, whether it is only to change a few procedures or the more complex problem of merging the entire systems from two companies.
- Forced upgrades in software/hardware
Some off-the-shelf software is regularly upgraded. This may be to improve security or add new features. The release of new software will impact on companies using old versions of the software.
5.4.3 Internal factors that influence a business
Some of the most powerful influences on a business can come from the inside rather than the outside. For example, all it takes is for a managing director to make a negative comment about their goods for the business to suffer major damage from a poor public perception. At the lower levels of the firm, poor morale in stores or in factories can lead to a lack of productivity.
Some examples of internal factors are listed below:
Company Structure – The structure of a company has a bearing on how effective internal communications is. A company may have too many levels of management, which can lead to complaints of over-bureaucracy, or a company may have too little management that can lead to a lack of organisation and direction.
Communication between ICT and Non-ICT staff. IT staff are often though to speak a different language to other employees and are sometimes critisced for an unsympathetic attitude towards non-technical colleagues. If this perception is allowed to persist, ICT problems will not be dealt with because people are afraid to ask for help.
Company Culture – In some companies or industries, it is normal to work ten or more hours per day and to work weekends. In such companies, those who arrive 8am are ‘late’ and those who go home before 6pm are considered to be ‘lazy’. This is considered by some to improve productivity but the reality is that a prolonged lack of rest can lead to physical and mental health problems and can actually reduce productivity.
Teleworking – Many companies allow employees to work at home. This is useful for those whose entire day at work would be spent in front of a computer and whose presence in the office may not always be required. This may benefit those employees with young families. However those who telework may feel like ‘outsiders’ when they return to the office, having missed much of the social dimension of work.
Poor Management – A lack of leadership can cause employees to lose focus, simply because they do not know what they are supposed to be doing.
Individualism – The world would be boring if everybody acted the same but it can be a major problem if people within an organisation insist on following their own agendas. When a few people ignore a company’s way of working there can be serious knock-on effects for others. For example, if one person ignores timekeeping other people may be held up in their work, or if one person insisted on running their favourite software, the overall stability of a company’s systems may be affected.
Departments allowed to exist as ‘independent states’ – Many companies face the problem of the management in a single department refusing to integrate with the rest of the company. This may rise because of a well intentioned ambition which causes them to work around the confines of the company structure, or simply because they are being awkward. Such a culture will lead to that department having separate work policies (including ict policy) from the rest of the organisation and this will lead to difficulties sharing data between departments and have further adverse affects on the business as a whole.
User Training – If employees are improperly trained, information systems will not be used to their full potential and much time can be wasted. A survey in 2003 estimated that 1 in 7 ICT workers in the UK requested help for turning on a computer and 1 in 5 called a helpline for simple tasks, such as saving or printing.
Over-Confident Users – In constrast to those who ask for help too often, are users who do not ask for help when they really need it. This can, in fact be the bigger headache for ICT staff. Users who think they know what they are doing can destroy data without realising it, A well designed system should have a series of checks and backups to prevent such users causing irreparable hardm
Teamwork – It has been said that while one man cannot lift half a pool table because of its size and weight, two men are able to lift an entire pool table. That is, their strength is multiplied when combined. In a similar way, in any organisation more can be done when people work together to an agreed plan, doing agreed jobs to agreed schedules. This comes about as a result of good planning and good working relationships.
Morale – All of the above factors influence morale. Regardless of the cause, if morale is low, productivity drops due to increased absenteeism or unmotivated employees.
5.4.4 – The structure of a management information system
A companys MIS should be implemented through good planning and research and not left to chance. At the time of analysis, the structure of the company and its mission should be thoroughly documentated to ensure that the MIS reflects these. However, it is also true that no company is static, and neither should the MIS be. Over time, the company focus may change and the MIS should be adapted to cope with this. As with many other software projects the MIS will enter a period of continual maintenance and evolution and procedures should be followed to ensure that changes are made only after careful consideration.
To maximise the effectiveness of the MIS, the following principles should be followed:
- The MIS should be used as a company wide resource
- The MIS should be thoroughly planned and documented.
- As far as possible, all factors that influence the company should be taken into account.
- In each part of the organisation, the MIS should be supplying all the data that users need. Users should not have to look outside the MIS for data needed for their job.
- While departments may get on with their jobs in isolation from each other, there is a continual flow of data between them managed by the MIS. Therefore the various parts of the MIS must effectively work together.
- No department should be allowed to implement its own ICT policy without integrating with the existing systems. This should only be done following discussion with ICT staff, to ensure incompatibilities are avoided.
5.4.5 The need for a considered information system strategy
We have seen that a company wide information system will meet the needs of all users, presenting information to them in a useful form. Such a system is constructed of several modules, purposely designed to work together.
We have also seen that creating an ICT management layer to be in charge of all ICT policies allows a company wide strategy to be mapped out, and that this must be adhered to. Doing so will avoid the problem of departments investing in their own systems and thus causing instability or loss of function when integrated with company wide systems. A carefully considered, company wide, ICT strategy therefore leads to better training of staff and a better overall use of resources.5.4 Strategies used within Management Information Systems
An organisation does not implement an MIS and leave it running to chance. The MIS is part of overall business strategy and is maintained as such. The overall way a business operates influences how the MIS is used and, ultimately, its success or failure.
In this section we consider the internal and external factors that influence a business and consequently the factors that influence the MIS
5.4.2 External Factors that influence a business
No business exists in a static environment. It is continually influenced by a number of internal and external factors. These factors change in the size and scale of influence over time. Some can be ignored without having a significant effect on the business, while others can cripple the business if ignored.
External factors can arise suddenly, such as a supplier failing to deliver goods. This may be due to a failure on the supplier’s part, or on the part of the couriers. The latter can be seen in instances such as the postal strike in 2003, which affected even UK businesses that were situated far away from striking sorting offices. A failure of supply can affect an organisation’s production or sales.
External factors may also arise over time, and these can be more readily planned for. Examples include the growth of ICT within a business or changes in legislation that are publicised well in advance of becoming law. Nevertheless, an organisation should have a written plan that anticipates as many unexpected problems as possible, together with what to do if they arise. If problems are thought through in advance, there is less chance of panic when something does go wrong. This gives an advantage to established firms who often know their market and can anticipate problems that are likely to occur better than a new company. In either case, business can be affected when a company is caught unprepared when problems strike.
Some examples of external factors are:
- Communication Links
A generation ago, any business that wanted to be taken seriously on a ‘big scale’ had to be located in a major city. This was to facilitate meeting customers and suppliers alike (who were in the same major city). Because of the growth of ICT, much of this face-to-face communication can be replaced with video conferencing, e-mail or phone calls. A positive effect of this is that companies can be located outside cities, where overheads such as rent and rates are often much less. This does, however, mean an increased reliance on communication links which must be of a high standard and highly reliable. Because it is inefficient for many firms to employ their own telecommunications staff may hire telecoms specialists tot maintain communication links who invest heavily in preventing problems, installing backups and providing alternative services when required.
- Suppliers of goods
Firms often depend on other firms to provide goods for sale or as components in manufacturing. Suppliers may fail for a variety of reasons and so firms must have written action plans to either avoid being affected, or to know how to react, when problems occur. This may include sourcing the same item from different places or purposely keeping a large supply in case of supply failure
- Suppliers of computer systems
Just as suppliers of goods may fail, so suppliers of hardware and software may fail. Companies must have their response to such a situation planned before it happens. For example if a company developing software goes out of business with a system partially implemented, the client does not want to find out at the last minute that their business will be crippled. Rather management should be in a position to act calmly according to a pre-defined plan, such as keeping the old system or re-advertising the development contract.
- Faulty software
It is virtually impossible to guarantee that a software system has no ‘bugs’. Companies must take adequate measures to ensure that operations and data are not compromised even if errors manifest themselves. This includes making multiple backups of data and using redundant systems that duplicate everything the main system does.
- Changes in legislation
Changes in legislation are often announced well in advance so that companies have time to plan. A new system may even have potential new legislation included in its design. For example, if a company commissioned a new finance system in 2004 for use in the UK, it may well have had Euro capability included, because of the possibility that the UK would adopt the euro. This is easier to put into the system at the design stage than as adaptive maintenance.
- Changes in work practice
Companies may change their work practices are many reasons. These changes can be small, or in the case of being taken over by another huge firm. Such changes affects ICT, whether it is only to change a few procedures or the more complex problem of merging the entire systems from two companies.
- Forced upgrades in software/hardware
Some off-the-shelf software is regularly upgraded. This may be to improve security or add new features. The release of new software will impact on companies using old versions of the software.
5.4.3 Internal factors that influence a business
Some of the most powerful influences on a business can come from the inside rather than the outside. For example, all it takes is for a managing director to make a negative comment about their goods for the business to suffer major damage from a poor public perception. At the lower levels of the firm, poor morale in stores or in factories can lead to a lack of productivity.
Some examples of internal factors are listed below:
Company Structure – The structure of a company has a bearing on how effective internal communications is. A company may have too many levels of management, which can lead to complaints of over-bureaucracy, or a company may have too little management that can lead to a lack of organisation and direction.
Communication between ICT and Non-ICT staff. IT staff are often though to speak a different language to other employees and are sometimes critisced for an unsympathetic attitude towards non-technical colleagues. If this perception is allowed to persist, ICT problems will not be dealt with because people are afraid to ask for help.
Company Culture – In some companies or industries, it is normal to work ten or more hours per day and to work weekends. In such companies, those who arrive 8am are ‘late’ and those who go home before 6pm are considered to be ‘lazy’. This is considered by some to improve productivity but the reality is that a prolonged lack of rest can lead to physical and mental health problems and can actually reduce productivity.
Teleworking – Many companies allow employees to work at home. This is useful for those whose entire day at work would be spent in front of a computer and whose presence in the office may not always be required. This may benefit those employees with young families. However those who telework may feel like ‘outsiders’ when they return to the office, having missed much of the social dimension of work.
Poor Management – A lack of leadership can cause employees to lose focus, simply because they do not know what they are supposed to be doing.
Individualism – The world would be boring if everybody acted the same but it can be a major problem if people within an organisation insist on following their own agendas. When a few people ignore a company’s way of working there can be serious knock-on effects for others. For example, if one person ignores timekeeping other people may be held up in their work, or if one person insisted on running their favourite software, the overall stability of a company’s systems may be affected.
Departments allowed to exist as ‘independent states’ – Many companies face the problem of the management in a single department refusing to integrate with the rest of the company. This may rise because of a well intentioned ambition which causes them to work around the confines of the company structure, or simply because they are being awkward. Such a culture will lead to that department having separate work policies (including ict policy) from the rest of the organisation and this will lead to difficulties sharing data between departments and have further adverse affects on the business as a whole.
User Training – If employees are improperly trained, information systems will not be used to their full potential and much time can be wasted. A survey in 2003 estimated that 1 in 7 ICT workers in the UK requested help for turning on a computer and 1 in 5 called a helpline for simple tasks, such as saving or printing.
Over-Confident Users – In constrast to those who ask for help too often, are users who do not ask for help when they really need it. This can, in fact be the bigger headache for ICT staff. Users who think they know what they are doing can destroy data without realising it, A well designed system should have a series of checks and backups to prevent such users causing irreparable hardm
Teamwork – It has been said that while one man cannot lift half a pool table because of its size and weight, two men are able to lift an entire pool table. That is, their strength is multiplied when combined. In a similar way, in any organisation more can be done when people work together to an agreed plan, doing agreed jobs to agreed schedules. This comes about as a result of good planning and good working relationships.
Morale – All of the above factors influence morale. Regardless of the cause, if morale is low, productivity drops due to increased absenteeism or unmotivated employees.
5.4.4 – The structure of a management information system
A companys MIS should be implemented through good planning and research and not left to chance. At the time of analysis, the structure of the company and its mission should be thoroughly documentated to ensure that the MIS reflects these. However, it is also true that no company is static, and neither should the MIS be. Over time, the company focus may change and the MIS should be adapted to cope with this. As with many other software projects the MIS will enter a period of continual maintenance and evolution and procedures should be followed to ensure that changes are made only after careful consideration.
To maximise the effectiveness of the MIS, the following principles should be followed:
- The MIS should be used as a company wide resource
- The MIS should be thoroughly planned and documented.
- As far as possible, all factors that influence the company should be taken into account.
- In each part of the organisation, the MIS should be supplying all the data that users need. Users should not have to look outside the MIS for data needed for their job.
- While departments may get on with their jobs in isolation from each other, there is a continual flow of data between them managed by the MIS. Therefore the various parts of the MIS must effectively work together.
- No department should be allowed to implement its own ICT policy without integrating with the existing systems. This should only be done following discussion with ICT staff, to ensure incompatibilities are avoided.
5.4.5 The need for a considered information system strategy
We have seen that a company wide information system will meet the needs of all users, presenting information to them in a useful form. Such a system is constructed of several modules, purposely designed to work together.
We have also seen that creating an ICT management layer to be in charge of all ICT policies allows a company wide strategy to be mapped out, and that this must be adhered to. Doing so will avoid the problem of departments investing in their own systems and thus causing instability or loss of function when integrated with company wide systems. A carefully considered, company wide, ICT strategy therefore leads to better training of staff and a better overall use of resources.
An organisation does not implement an MIS and leave it running to chance. The MIS is part of overall business strategy and is maintained as such. The overall way a business operates influences how the MIS is used and, ultimately, its success or failure.
In this section we consider the internal and external factors that influence a business and consequently the factors that influence the MIS
5.4.2 External Factors that influence a business
No business exists in a static environment. It is continually influenced by a number of internal and external factors. These factors change in the size and scale of influence over time. Some can be ignored without having a significant effect on the business, while others can cripple the business if ignored.
External factors can arise suddenly, such as a supplier failing to deliver goods. This may be due to a failure on the supplier’s part, or on the part of the couriers. The latter can be seen in instances such as the postal strike in 2003, which affected even UK businesses that were situated far away from striking sorting offices. A failure of supply can affect an organisation’s production or sales.
External factors may also arise over time, and these can be more readily planned for. Examples include the growth of ICT within a business or changes in legislation that are publicised well in advance of becoming law. Nevertheless, an organisation should have a written plan that anticipates as many unexpected problems as possible, together with what to do if they arise. If problems are thought through in advance, there is less chance of panic when something does go wrong. This gives an advantage to established firms who often know their market and can anticipate problems that are likely to occur better than a new company. In either case, business can be affected when a company is caught unprepared when problems strike.
Some examples of external factors are:
- Communication Links
A generation ago, any business that wanted to be taken seriously on a ‘big scale’ had to be located in a major city. This was to facilitate meeting customers and suppliers alike (who were in the same major city). Because of the growth of ICT, much of this face-to-face communication can be replaced with video conferencing, e-mail or phone calls. A positive effect of this is that companies can be located outside cities, where overheads such as rent and rates are often much less. This does, however, mean an increased reliance on communication links which must be of a high standard and highly reliable. Because it is inefficient for many firms to employ their own telecommunications staff may hire telecoms specialists tot maintain communication links who invest heavily in preventing problems, installing backups and providing alternative services when required.
- Suppliers of goods
Firms often depend on other firms to provide goods for sale or as components in manufacturing. Suppliers may fail for a variety of reasons and so firms must have written action plans to either avoid being affected, or to know how to react, when problems occur. This may include sourcing the same item from different places or purposely keeping a large supply in case of supply failure
- Suppliers of computer systems
Just as suppliers of goods may fail, so suppliers of hardware and software may fail. Companies must have their response to such a situation planned before it happens. For example if a company developing software goes out of business with a system partially implemented, the client does not want to find out at the last minute that their business will be crippled. Rather management should be in a position to act calmly according to a pre-defined plan, such as keeping the old system or re-advertising the development contract.
- Faulty software
It is virtually impossible to guarantee that a software system has no ‘bugs’. Companies must take adequate measures to ensure that operations and data are not compromised even if errors manifest themselves. This includes making multiple backups of data and using redundant systems that duplicate everything the main system does.
- Changes in legislation
Changes in legislation are often announced well in advance so that companies have time to plan. A new system may even have potential new legislation included in its design. For example, if a company commissioned a new finance system in 2004 for use in the UK, it may well have had Euro capability included, because of the possibility that the UK would adopt the euro. This is easier to put into the system at the design stage than as adaptive maintenance.
- Changes in work practice
Companies may change their work practices are many reasons. These changes can be small, or in the case of being taken over by another huge firm. Such changes affects ICT, whether it is only to change a few procedures or the more complex problem of merging the entire systems from two companies.
- Forced upgrades in software/hardware
Some off-the-shelf software is regularly upgraded. This may be to improve security or add new features. The release of new software will impact on companies using old versions of the software.
5.4.3 Internal factors that influence a business
Some of the most powerful influences on a business can come from the inside rather than the outside. For example, all it takes is for a managing director to make a negative comment about their goods for the business to suffer major damage from a poor public perception. At the lower levels of the firm, poor morale in stores or in factories can lead to a lack of productivity.
Some examples of internal factors are listed below:
Company Structure – The structure of a company has a bearing on how effective internal communications is. A company may have too many levels of management, which can lead to complaints of over-bureaucracy, or a company may have too little management that can lead to a lack of organisation and direction.
Communication between ICT and Non-ICT staff. IT staff are often though to speak a different language to other employees and are sometimes critisced for an unsympathetic attitude towards non-technical colleagues. If this perception is allowed to persist, ICT problems will not be dealt with because people are afraid to ask for help.
Company Culture – In some companies or industries, it is normal to work ten or more hours per day and to work weekends. In such companies, those who arrive 8am are ‘late’ and those who go home before 6pm are considered to be ‘lazy’. This is considered by some to improve productivity but the reality is that a prolonged lack of rest can lead to physical and mental health problems and can actually reduce productivity.
Teleworking – Many companies allow employees to work at home. This is useful for those whose entire day at work would be spent in front of a computer and whose presence in the office may not always be required. This may benefit those employees with young families. However those who telework may feel like ‘outsiders’ when they return to the office, having missed much of the social dimension of work.
Poor Management – A lack of leadership can cause employees to lose focus, simply because they do not know what they are supposed to be doing.
Individualism – The world would be boring if everybody acted the same but it can be a major problem if people within an organisation insist on following their own agendas. When a few people ignore a company’s way of working there can be serious knock-on effects for others. For example, if one person ignores timekeeping other people may be held up in their work, or if one person insisted on running their favourite software, the overall stability of a company’s systems may be affected.
Departments allowed to exist as ‘independent states’ – Many companies face the problem of the management in a single department refusing to integrate with the rest of the company. This may rise because of a well intentioned ambition which causes them to work around the confines of the company structure, or simply because they are being awkward. Such a culture will lead to that department having separate work policies (including ict policy) from the rest of the organisation and this will lead to difficulties sharing data between departments and have further adverse affects on the business as a whole.
User Training – If employees are improperly trained, information systems will not be used to their full potential and much time can be wasted. A survey in 2003 estimated that 1 in 7 ICT workers in the UK requested help for turning on a computer and 1 in 5 called a helpline for simple tasks, such as saving or printing.
Over-Confident Users – In constrast to those who ask for help too often, are users who do not ask for help when they really need it. This can, in fact be the bigger headache for ICT staff. Users who think they know what they are doing can destroy data without realising it, A well designed system should have a series of checks and backups to prevent such users causing irreparable hardm
Teamwork – It has been said that while one man cannot lift half a pool table because of its size and weight, two men are able to lift an entire pool table. That is, their strength is multiplied when combined. In a similar way, in any organisation more can be done when people work together to an agreed plan, doing agreed jobs to agreed schedules. This comes about as a result of good planning and good working relationships.
Morale – All of the above factors influence morale. Regardless of the cause, if morale is low, productivity drops due to increased absenteeism or unmotivated employees.
5.4.4 – The structure of a management information system
A companys MIS should be implemented through good planning and research and not left to chance. At the time of analysis, the structure of the company and its mission should be thoroughly documentated to ensure that the MIS reflects these. However, it is also true that no company is static, and neither should the MIS be. Over time, the company focus may change and the MIS should be adapted to cope with this. As with many other software projects the MIS will enter a period of continual maintenance and evolution and procedures should be followed to ensure that changes are made only after careful consideration.
To maximise the effectiveness of the MIS, the following principles should be followed:
- The MIS should be used as a company wide resource
- The MIS should be thoroughly planned and documented.
- As far as possible, all factors that influence the company should be taken into account.
- In each part of the organisation, the MIS should be supplying all the data that users need. Users should not have to look outside the MIS for data needed for their job.
- While departments may get on with their jobs in isolation from each other, there is a continual flow of data between them managed by the MIS. Therefore the various parts of the MIS must effectively work together.
- No department should be allowed to implement its own ICT policy without integrating with the existing systems. This should only be done following discussion with ICT staff, to ensure incompatibilities are avoided.
5.4.5 The need for a considered information system strategy
We have seen that a company wide information system will meet the needs of all users, presenting information to them in a useful form. Such a system is constructed of several modules, purposely designed to work together.
We have also seen that creating an ICT management layer to be in charge of all ICT policies allows a company wide strategy to be mapped out, and that this must be adhered to. Doing so will avoid the problem of departments investing in their own systems and thus causing instability or loss of function when integrated with company wide systems. A carefully considered, company wide, ICT strategy therefore leads to better training of staff and a better overall use of resources.5.4 Strategies used within Management Information Systems
An organisation does not implement an MIS and leave it running to chance. The MIS is part of overall business strategy and is maintained as such. The overall way a business operates influences how the MIS is used and, ultimately, its success or failure.
In this section we consider the internal and external factors that influence a business and consequently the factors that influence the MIS
5.4.2 External Factors that influence a business
No business exists in a static environment. It is continually influenced by a number of internal and external factors. These factors change in the size and scale of influence over time. Some can be ignored without having a significant effect on the business, while others can cripple the business if ignored.
External factors can arise suddenly, such as a supplier failing to deliver goods. This may be due to a failure on the supplier’s part, or on the part of the couriers. The latter can be seen in instances such as the postal strike in 2003, which affected even UK businesses that were situated far away from striking sorting offices. A failure of supply can affect an organisation’s production or sales.
External factors may also arise over time, and these can be more readily planned for. Examples include the growth of ICT within a business or changes in legislation that are publicised well in advance of becoming law. Nevertheless, an organisation should have a written plan that anticipates as many unexpected problems as possible, together with what to do if they arise. If problems are thought through in advance, there is less chance of panic when something does go wrong. This gives an advantage to established firms who often know their market and can anticipate problems that are likely to occur better than a new company. In either case, business can be affected when a company is caught unprepared when problems strike.
Some examples of external factors are:
- Communication Links
A generation ago, any business that wanted to be taken seriously on a ‘big scale’ had to be located in a major city. This was to facilitate meeting customers and suppliers alike (who were in the same major city). Because of the growth of ICT, much of this face-to-face communication can be replaced with video conferencing, e-mail or phone calls. A positive effect of this is that companies can be located outside cities, where overheads such as rent and rates are often much less. This does, however, mean an increased reliance on communication links which must be of a high standard and highly reliable. Because it is inefficient for many firms to employ their own telecommunications staff may hire telecoms specialists tot maintain communication links who invest heavily in preventing problems, installing backups and providing alternative services when required.
- Suppliers of goods
Firms often depend on other firms to provide goods for sale or as components in manufacturing. Suppliers may fail for a variety of reasons and so firms must have written action plans to either avoid being affected, or to know how to react, when problems occur. This may include sourcing the same item from different places or purposely keeping a large supply in case of supply failure
- Suppliers of computer systems
Just as suppliers of goods may fail, so suppliers of hardware and software may fail. Companies must have their response to such a situation planned before it happens. For example if a company developing software goes out of business with a system partially implemented, the client does not want to find out at the last minute that their business will be crippled. Rather management should be in a position to act calmly according to a pre-defined plan, such as keeping the old system or re-advertising the development contract.
- Faulty software
It is virtually impossible to guarantee that a software system has no ‘bugs’. Companies must take adequate measures to ensure that operations and data are not compromised even if errors manifest themselves. This includes making multiple backups of data and using redundant systems that duplicate everything the main system does.
- Changes in legislation
Changes in legislation are often announced well in advance so that companies have time to plan. A new system may even have potential new legislation included in its design. For example, if a company commissioned a new finance system in 2004 for use in the UK, it may well have had Euro capability included, because of the possibility that the UK would adopt the euro. This is easier to put into the system at the design stage than as adaptive maintenance.
- Changes in work practice
Companies may change their work practices are many reasons. These changes can be small, or in the case of being taken over by another huge firm. Such changes affects ICT, whether it is only to change a few procedures or the more complex problem of merging the entire systems from two companies.
- Forced upgrades in software/hardware
Some off-the-shelf software is regularly upgraded. This may be to improve security or add new features. The release of new software will impact on companies using old versions of the software.
5.4.3 Internal factors that influence a business
Some of the most powerful influences on a business can come from the inside rather than the outside. For example, all it takes is for a managing director to make a negative comment about their goods for the business to suffer major damage from a poor public perception. At the lower levels of the firm, poor morale in stores or in factories can lead to a lack of productivity.
Some examples of internal factors are listed below:
Company Structure – The structure of a company has a bearing on how effective internal communications is. A company may have too many levels of management, which can lead to complaints of over-bureaucracy, or a company may have too little management that can lead to a lack of organisation and direction.
Communication between ICT and Non-ICT staff. IT staff are often though to speak a different language to other employees and are sometimes critisced for an unsympathetic attitude towards non-technical colleagues. If this perception is allowed to persist, ICT problems will not be dealt with because people are afraid to ask for help.
Company Culture – In some companies or industries, it is normal to work ten or more hours per day and to work weekends. In such companies, those who arrive 8am are ‘late’ and those who go home before 6pm are considered to be ‘lazy’. This is considered by some to improve productivity but the reality is that a prolonged lack of rest can lead to physical and mental health problems and can actually reduce productivity.
Teleworking – Many companies allow employees to work at home. This is useful for those whose entire day at work would be spent in front of a computer and whose presence in the office may not always be required. This may benefit those employees with young families. However those who telework may feel like ‘outsiders’ when they return to the office, having missed much of the social dimension of work.
Poor Management – A lack of leadership can cause employees to lose focus, simply because they do not know what they are supposed to be doing.
Individualism – The world would be boring if everybody acted the same but it can be a major problem if people within an organisation insist on following their own agendas. When a few people ignore a company’s way of working there can be serious knock-on effects for others. For example, if one person ignores timekeeping other people may be held up in their work, or if one person insisted on running their favourite software, the overall stability of a company’s systems may be affected.
Departments allowed to exist as ‘independent states’ – Many companies face the problem of the management in a single department refusing to integrate with the rest of the company. This may rise because of a well intentioned ambition which causes them to work around the confines of the company structure, or simply because they are being awkward. Such a culture will lead to that department having separate work policies (including ict policy) from the rest of the organisation and this will lead to difficulties sharing data between departments and have further adverse affects on the business as a whole.
User Training – If employees are improperly trained, information systems will not be used to their full potential and much time can be wasted. A survey in 2003 estimated that 1 in 7 ICT workers in the UK requested help for turning on a computer and 1 in 5 called a helpline for simple tasks, such as saving or printing.
Over-Confident Users – In constrast to those who ask for help too often, are users who do not ask for help when they really need it. This can, in fact be the bigger headache for ICT staff. Users who think they know what they are doing can destroy data without realising it, A well designed system should have a series of checks and backups to prevent such users causing irreparable hardm
Teamwork – It has been said that while one man cannot lift half a pool table because of its size and weight, two men are able to lift an entire pool table. That is, their strength is multiplied when combined. In a similar way, in any organisation more can be done when people work together to an agreed plan, doing agreed jobs to agreed schedules. This comes about as a result of good planning and good working relationships.
Morale – All of the above factors influence morale. Regardless of the cause, if morale is low, productivity drops due to increased absenteeism or unmotivated employees.
5.4.4 – The structure of a management information system
A companys MIS should be implemented through good planning and research and not left to chance. At the time of analysis, the structure of the company and its mission should be thoroughly documentated to ensure that the MIS reflects these. However, it is also true that no company is static, and neither should the MIS be. Over time, the company focus may change and the MIS should be adapted to cope with this. As with many other software projects the MIS will enter a period of continual maintenance and evolution and procedures should be followed to ensure that changes are made only after careful consideration.
To maximise the effectiveness of the MIS, the following principles should be followed:
- The MIS should be used as a company wide resource
- The MIS should be thoroughly planned and documented.
- As far as possible, all factors that influence the company should be taken into account.
- In each part of the organisation, the MIS should be supplying all the data that users need. Users should not have to look outside the MIS for data needed for their job.
- While departments may get on with their jobs in isolation from each other, there is a continual flow of data between them managed by the MIS. Therefore the various parts of the MIS must effectively work together.
- No department should be allowed to implement its own ICT policy without integrating with the existing systems. This should only be done following discussion with ICT staff, to ensure incompatibilities are avoided.
5.4.5 The need for a considered information system strategy
We have seen that a company wide information system will meet the needs of all users, presenting information to them in a useful form. Such a system is constructed of several modules, purposely designed to work together.
We have also seen that creating an ICT management layer to be in charge of all ICT policies allows a company wide strategy to be mapped out, and that this must be adhered to. Doing so will avoid the problem of departments investing in their own systems and thus causing instability or loss of function when integrated with company wide systems. A carefully considered, company wide, ICT strategy therefore leads to better training of staff and a better overall use of resources.
5.3 Management Information Systems
5.3 Management Information Systems
Management Information Systems (MIS) are information systems that monitor and control an organisation’s internal operations.
They are a broad class of systems that provide decision makers with information they need to do their jobs. A MIS takes its input from a data processing system and provides output as reports to management.
5.3.2 The purpose of management information systems
A MIS allows management at all levels of an organisation to:
Plan, organise, direct and control their organisation;
Access data that is particular relevant to them and present it in an effective way;
Access data from within the company in real time, not just data that is processed at set periods of time (as batches)
5.3.3 Features of a MIS
A MIS is an essential part of an organisation’s information management. As part of the organisation’s overall ICT strategy does the following:
- Gathers information from throughout the organisation for processing and storage. It uses transaction processing systems as the primary source of data.
- Presents information to those who need it, in a way that is meaningful to them. It is therefore very flexible in how it allows users to interact with it and allows users to specify the data they want to access and how they want It presented.
- Records and presents external data.
The MIS does all this in real time, i.e. users can see ‘live’ data. A MIS is far more than an accounting system that only deals with completed transactions, or a transaction processing system that performs repetitive data processing tasks.
Output of a MIS
The output of a MIS is in the form of reports that present information in an accessible format to management. Two types of report are produced:A summary report presents aggregate data from several transactions, for example a summary of a day’s sales within a supermarket.An exception report outlines deviations from the expected output, to draw attention to any unusual performance patterns, for example a report of any product that is selling less than 50 units per day, or that is selling out before new stock arrives.
In both cases, reports should be:
- Brief and to the point
- Accurate
- Timely
- Reliable
- Verifiable (i.e. the data it is based on should be easy to check)
- Readily Useable
Drawbacks of using a MIS
While a MIS is very effective in its presentation of data, there are a number of potential problems that users should be aware of.
- Errors in an analysis or design will lead to incorrect output from the MIS.
- The MIS may fail for some reason, rendering its output unavailable
- The MIS may not be able to easily accommodate unexpected events.
For any of these reasons, it is vital that management are fully trained in their area of responsibility and are not simply making decisions ‘because the computer says so’. Management should have a depth of experience that allows them to cope when the MIS fails, and to recognise when output data is incorrect or unreliable.
5.3.4 Influences on a MIS
There are many influences on a MIS that contribute to its overall success or failure. Some of these are listed below:
- A through analysis of the problem
A good analysis fully addresses the problem and user needs. If the analysis has missed detail the project is weakened from the outset.
- The Design
A complete design can only come from a full analysis. However a full analysis does not guarantee a good design if designers are careless.
- Addressing the users needs
This may seem like an obvious consideration. However many systems fail because the analysts or designers address what they think the user needs and not what the user actually needs
- Usability and ease of manipulating data
A good design gives users the option of manipulating data the way they see fit and not according to what the designers thought was convenient. While designers may have their own preferences for using systems, they must remember that non-expert users often have a different perspective.
- The structure of an organisation
A good MIS will allow the effective communication between all levels of an organisation. This can only be ensures by a comprehensive analysis.
- The ICT department are left in charge
There should be no provision for departments to put their own ICT solutions in place without referall to the central ICT policy. If this is allowed a ‘mish-mash’ of incompatible systems will lead to data redundancy, duplication and lack of communication. Data being transferred between these systems will require re-keying, which often introduces errors.
- Data in software from different departments must be able to share data:
This is best done by leaving the ICT departments in charge. Often data will be centrally held to enforce compliance with established procedure. While this may annoy the person whose favourite piece of software cannot access data, it does mean that the same person cannot damage the database by making changes that the other users’ software cannot read.
- An efficient flow of data
There should be no needless bureaucracy or duplication of data. If staff perceive work as having no real purpose they are likely to ignore it, yet some organisations measure workers’ effectiveness by the amount of paper that they generate!
- Support for adhoc (‘on-the-fly) reporting
Management reports should be able to be generated ‘live’, based on up-to-the minute data. Some organisations produce management reports at the end of the day’s work and do not have the flexibility to produce reports at other times.
- The system must be delivered on time and on cost:
Many systems fail either because of huge delays in implementation or because of spiralling costs, both of which drive away customers.
- Staff Morale
It does not matter how good a system is at managing data if staff dislike it. Often morale is influenced by factors such as a system’s usability or the range of features it offers. If a new system is introduced for the wrong reasons, morale may plummet.
A system can be considered successful if it meets all user requirements (as defined in the analysis) and is accepted by users. An unsuccessful system either fails to be implemented, fails to meet requirements, or is simply not accepted by users.
Management Information Systems (MIS) are information systems that monitor and control an organisation’s internal operations.
They are a broad class of systems that provide decision makers with information they need to do their jobs. A MIS takes its input from a data processing system and provides output as reports to management.
5.3.2 The purpose of management information systems
A MIS allows management at all levels of an organisation to:
Plan, organise, direct and control their organisation;
Access data that is particular relevant to them and present it in an effective way;
Access data from within the company in real time, not just data that is processed at set periods of time (as batches)
5.3.3 Features of a MIS
A MIS is an essential part of an organisation’s information management. As part of the organisation’s overall ICT strategy does the following:
- Gathers information from throughout the organisation for processing and storage. It uses transaction processing systems as the primary source of data.
- Presents information to those who need it, in a way that is meaningful to them. It is therefore very flexible in how it allows users to interact with it and allows users to specify the data they want to access and how they want It presented.
- Records and presents external data.
The MIS does all this in real time, i.e. users can see ‘live’ data. A MIS is far more than an accounting system that only deals with completed transactions, or a transaction processing system that performs repetitive data processing tasks.
Output of a MIS
The output of a MIS is in the form of reports that present information in an accessible format to management. Two types of report are produced:A summary report presents aggregate data from several transactions, for example a summary of a day’s sales within a supermarket.An exception report outlines deviations from the expected output, to draw attention to any unusual performance patterns, for example a report of any product that is selling less than 50 units per day, or that is selling out before new stock arrives.
In both cases, reports should be:
- Brief and to the point
- Accurate
- Timely
- Reliable
- Verifiable (i.e. the data it is based on should be easy to check)
- Readily Useable
Drawbacks of using a MIS
While a MIS is very effective in its presentation of data, there are a number of potential problems that users should be aware of.
- Errors in an analysis or design will lead to incorrect output from the MIS.
- The MIS may fail for some reason, rendering its output unavailable
- The MIS may not be able to easily accommodate unexpected events.
For any of these reasons, it is vital that management are fully trained in their area of responsibility and are not simply making decisions ‘because the computer says so’. Management should have a depth of experience that allows them to cope when the MIS fails, and to recognise when output data is incorrect or unreliable.
5.3.4 Influences on a MIS
There are many influences on a MIS that contribute to its overall success or failure. Some of these are listed below:
- A through analysis of the problem
A good analysis fully addresses the problem and user needs. If the analysis has missed detail the project is weakened from the outset.
- The Design
A complete design can only come from a full analysis. However a full analysis does not guarantee a good design if designers are careless.
- Addressing the users needs
This may seem like an obvious consideration. However many systems fail because the analysts or designers address what they think the user needs and not what the user actually needs
- Usability and ease of manipulating data
A good design gives users the option of manipulating data the way they see fit and not according to what the designers thought was convenient. While designers may have their own preferences for using systems, they must remember that non-expert users often have a different perspective.
- The structure of an organisation
A good MIS will allow the effective communication between all levels of an organisation. This can only be ensures by a comprehensive analysis.
- The ICT department are left in charge
There should be no provision for departments to put their own ICT solutions in place without referall to the central ICT policy. If this is allowed a ‘mish-mash’ of incompatible systems will lead to data redundancy, duplication and lack of communication. Data being transferred between these systems will require re-keying, which often introduces errors.
- Data in software from different departments must be able to share data:
This is best done by leaving the ICT departments in charge. Often data will be centrally held to enforce compliance with established procedure. While this may annoy the person whose favourite piece of software cannot access data, it does mean that the same person cannot damage the database by making changes that the other users’ software cannot read.
- An efficient flow of data
There should be no needless bureaucracy or duplication of data. If staff perceive work as having no real purpose they are likely to ignore it, yet some organisations measure workers’ effectiveness by the amount of paper that they generate!
- Support for adhoc (‘on-the-fly) reporting
Management reports should be able to be generated ‘live’, based on up-to-the minute data. Some organisations produce management reports at the end of the day’s work and do not have the flexibility to produce reports at other times.
- The system must be delivered on time and on cost:
Many systems fail either because of huge delays in implementation or because of spiralling costs, both of which drive away customers.
- Staff Morale
It does not matter how good a system is at managing data if staff dislike it. Often morale is influenced by factors such as a system’s usability or the range of features it offers. If a new system is introduced for the wrong reasons, morale may plummet.
A system can be considered successful if it meets all user requirements (as defined in the analysis) and is accepted by users. An unsuccessful system either fails to be implemented, fails to meet requirements, or is simply not accepted by users.
5.2 Information Systems within an Organisation
5.2 Information Systems within an Organisation
Data Processing Systems are used within an organisation to process day to day events. These systems perform many useful functions such as logging sales or the movement of products within a warehouse. Such as system will pass data into an information system.
5.2.2 Information Systems versus data processing systems
Both of these types of system are used in many organisations and it can be difficult to tell precisely where one stops and the other begins. It is therefore even more difficult to grasp the distinction between them.
A data processing system gathers data for use within an information system. It handles routine events which prompt some form of input into a system.
Examples of these include the systems that process data from a supermarket checkout, or process data relating to stock movements within a warehouse. Hence, people at the lowest levels of an organisation’s structure generally use these systems.
An information system gathers data from data processing systems and often aggregates or summarises it in some way.
For example, a supermarket manager will not be concerned about every single can upon the shelves but will be concerned with the overall view of stock. The sales data is gathered by a data processing system but the summary is produced by an information system.
Systems used by progressively higher levels of management, such as Management Information Systems, will aggregate more and more information, but present it in an increasingly summarised form.
5.2.3 How a business is organised
Three levels of ‘view’
Three different perspectives on a company can be summarised as three different ‘views’ of the organisation.
Strategic View:
This is the view from the top of the company, including senior management and company directors. This view allows overall company strategy to be planned and decisions to be taken at this level have an impact felt at lower levels only after a few weeks, or even over a few years. These decisions will affect the whole organisation, or large sections of it.
Tactical View:
This is the view middle management have, including the management of operations and allocation of staff to resources. Decisions taken in relation to the running of a department will be felt that day, or may involve planning ahead into the next few months. The decisions will affect large groups of people working together within an organisation, such as within a particular factory or store.
Operational View:
This is the view that a person has at the lowest level, including production ‘operatives’, heads of small departments or groups of people who have a specific, small, area of responsibility. This view relates to the day-to-day operations and decisions taken will be felt immediately and only impact on a few people.
A company’s information system should provide information tailored to each level within the company in order to assist those people as effectively as possible.
But no matter at what level the information system is used, it ultimately receives its data from each and every transaction that occurs, whether that be an item sold or an item taken from a warehouse.
Data Processing Systems are used within an organisation to process day to day events. These systems perform many useful functions such as logging sales or the movement of products within a warehouse. Such as system will pass data into an information system.
5.2.2 Information Systems versus data processing systems
Both of these types of system are used in many organisations and it can be difficult to tell precisely where one stops and the other begins. It is therefore even more difficult to grasp the distinction between them.
A data processing system gathers data for use within an information system. It handles routine events which prompt some form of input into a system.
Examples of these include the systems that process data from a supermarket checkout, or process data relating to stock movements within a warehouse. Hence, people at the lowest levels of an organisation’s structure generally use these systems.
An information system gathers data from data processing systems and often aggregates or summarises it in some way.
For example, a supermarket manager will not be concerned about every single can upon the shelves but will be concerned with the overall view of stock. The sales data is gathered by a data processing system but the summary is produced by an information system.
Systems used by progressively higher levels of management, such as Management Information Systems, will aggregate more and more information, but present it in an increasingly summarised form.
5.2.3 How a business is organised
Three levels of ‘view’
Three different perspectives on a company can be summarised as three different ‘views’ of the organisation.
Strategic View:
This is the view from the top of the company, including senior management and company directors. This view allows overall company strategy to be planned and decisions to be taken at this level have an impact felt at lower levels only after a few weeks, or even over a few years. These decisions will affect the whole organisation, or large sections of it.
Tactical View:
This is the view middle management have, including the management of operations and allocation of staff to resources. Decisions taken in relation to the running of a department will be felt that day, or may involve planning ahead into the next few months. The decisions will affect large groups of people working together within an organisation, such as within a particular factory or store.
Operational View:
This is the view that a person has at the lowest level, including production ‘operatives’, heads of small departments or groups of people who have a specific, small, area of responsibility. This view relates to the day-to-day operations and decisions taken will be felt immediately and only impact on a few people.
A company’s information system should provide information tailored to each level within the company in order to assist those people as effectively as possible.
But no matter at what level the information system is used, it ultimately receives its data from each and every transaction that occurs, whether that be an item sold or an item taken from a warehouse.
Tuesday, April 15, 2008
5.1 Knowledge Information and Data
5.1 Knowledge, Information and Data
External and Internal Data
External data is data entering the organisation from the outside (from an external source), or data created within the organisation and then output to an external organisation. Internal data is data whose source and destination are within a single organisation.
Quality of Information and Information flow
Because information is vital for each daily task and is used to guide business decisions, using low quality information leads to mistakes.
There are five main factors that affect the quality of data. Data should be;
- Accurate
- Up-to-date
- Complete
- Relevant
- Presented Effectively
Quality is not static – As information moves within an organisation its quality can change. For example if a manager receives poorly presented production figures from the shop floor they may be given a lot of irrelevant details. Hence data that is considered high quality in one place may be low quality in another due to lack of relevance.
Data quality can also be affected by the way an information system is actually constructed. While an information system that is the result of a well-considered analysis and design should present high quality information, a poorer system can lead to problems- It may address the wrong problem and therefore be of no help to users. This may happen if analysts have misunderstood the main problem.
- It ignores the structure of the organisation. That is, if analysts or designers have tried to impose an unrealistic vision of how the company should work upon the company and it has not been accepted.
- The above two examples assume the analysis was reasonable, but slightly flawed. There is also the possibility that the analysis was totally wrong but not realised until an ineffective system was up and running.
- The system was developed for the wrong reasons, for example a new manager wanting to make his mark or because the ICT department have bought unnecessary new technology. Users may resent this approach because from their perspective, the old system worked fine and all they feel they have gained is a lot of unwanted hassle.
Presenting Information
Not only should information be accurate, up-to-date, complete and relevant but it must also be presented effectively. Otherwise, correct data can be rendered useless.
There are different ways of presenting information to people.
One-to-one: Often a face to face conversation is the most effective way for someone to ensure they have been understood. It is also useful if confidential matters must be discussed. However this is not effective if a lot of people have been told the same thing.
- As a verbal presentation: There are times when it is necessary to call people together and speak to them as a group. Often some sort of projection system will be used highlight the key points – either an overhead projector with acetates or a laptop running a presentation package.
- Verbally, by telephone: This can be achieved by telephoning each person who has to receive the information (although this is slow) or by phoning a few people who will pass it on. The latter is a quick way to pass information but it is more difficult to ensure accuracy.
- As an e-mail to the appropriate people: Much quicker and more accurate than a telephone call, although there is the possibility that the e-mail may be leaked. Also, as many people receive a huge amount of mail each day, there is no guarantee it will be read.
- As a printed summary: As with e-mail, some people receive more pieces of paper than they can deal with. However, a piece of paper sitting on a person’s desk is more difficult to ignore than an e-mail.
- As a formal document: If presented using desktop publishing software, it looks more ‘official’ than a simple printout and hence may be treated more seriously. It is particularly effective for certain types of information, such as quarterly reports or technical documentation.
- Via a company intranet or the internet: Information can be quickly disseminated this way. Instead of printing bulky documents that may never be read, a PDF file can be made available for download. This has the benefit that the files can be searched. Many companies expect employees to check intranets regularly for new information.
No matter which of the presentation methods is used, the same informant can come across as either appealing or unappealing, depending on who presents it and how. While plain text is often an easy way to present data it can be unattractive for readers. On the other hand, while graphics are appealing and easy to follow, the temptation to use too much colour or too many design elements must be resisted. Colour is good, but can be overpowering if the page appears to have emerged from an explosion in a paint factory.
Verbal presentations can be useful, but only if people are interested. Many meetings leave people more confused on leaving than when they arrived because of poor use of graphics or a lack of communication skills on the part of the speakers. The advantage of verbal presentations, when compared to leaving notes for people, is that if everybody attends they have no excuse for not knowing what they are expected to know.
Subscribe to:
Posts (Atom)