Information Systems Operations
IS Operations (Chapter 9)Practicum: Cendant Corporation
What are ‘Operations’
Development and TestProductionOutsourcing and Utility Computing
Two Components
Or you might consider them two sides to one system
Business Operations All the tangible physical things that go on in a corporation
Computer Operations
Business & Computer Operations
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
I n te r n a l C o n tr o lM em o
J o u r n al E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
C o m p u terS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
B us i ne s s O pe r at i o ns
The P ar al l e l (L o g i c al )W o r l d o f C o m pute r O pe r at i o ns
L ed g er s :D atab as es
Inte r nal C o ntr o l R e vi e wO ve r O pe r at i o ns
C o r p o r a te L aw
Measu rm
en t / P o s tin g
Mea su rem
en t / P o s tin g
Computer Operations
Only a subset of business operations are computerized (automated)
Computers do the following well: High-speed arithmetic operations Storage and search of massive quantities of data Standardization of repetitive procedures
All other Business Operations require human intervention
Human Intervention
Even computer operations require human intervention at some level E.g., turning the computer on and off
In both business and computer operations Human interventions demand the most auditing
Automation & Operations Objectives
Operations should be about following predetermined procedures
The appeal rests largely on the ability to reduce or alter the role of people in the process
The intent is to take people out of the loop entirely, Or to increase the likelihood that people will do what they are
supposed to do, and that they do it accurately People are flexible and clever We sometimes don’t want to take people out of the loop on a lot
of systems The problem is when a lot of things break at the same time.
There’ll probably be a few things that are hard to fix, a cascade of effects.
Computerized procedures
Fully automated (computerized) procedures Can be audited once with a small data set And these results can be considered to hold over time
@ Boeing?
The ‘Glass House’
Mass Storage
Z Microsystems TranzPacs Shared chassis - shared peripherals. Less space, less weight, less power, less cost. Hot-swappable sealed computer modules
(SCM) and disk modules. Mix & match platforms and OS's. Independent stand-alone systems. Shared peripheral clusters.
Mass Storage at NASA
Server Farms
Audit H
ere!
Systems Life Cycle
Resource U
se
T im e
R eq u ir em en tsS p ec if ic a tio n
D es ig n & P r o g r am m in g
T es tin g
R eleas e
P r o d u c tio n
Replacem
ent
Operations ObjectivesWhat to look for in an audit
Production jobs are completed in time Output (information) are distributed on time Backup and recovery procedures are adequate
(requires risk analysis) Maintenance procedures adequately protect
computer hardware and software Logs are kept of all changes to HW & SW
Case Study: Manual versus Automated Scheduling
pp. 187-189Question: Why is automation important?
Backup and Recovery Objectives Best Practices
Determination of appropriate recovery and resumption objectives for activities in support of critical markets. Core organizations should develop the capacity to recover and resume activities within
the business day on which the disruption occurs. The overall goal is to resume operations within two hours
Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives. back-up sites should not rely on the same infrastructure components used by the
primary site, and back-up operations should not be impaired by a wide-scale evacuation or
inaccessibility of staff that services the primary site
Routine use or testing of recovery and resumption arrangements. Testing should not only cover back-up facilities of the firm,
but connections with the markets, third party service providers and customers
Connectivity, functionality and volume capacity should be covered.
How Does Backup & Recovery Fit into your Risk Assessment Framework?
Your Toolkit: Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Bu s in es s Ap p lic a t io nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r t in g R is k s( E x te r n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x te r n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th e r s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
Prioritizing Backup & Recovery Tasks
Find the critical transactions (High value; High volume)
Identify the critical applications for processing these transactions
Identify the critical personnel including those you may not have hired or defined jobs for Who are essential to processing these transactions
Case Study: NYSE after 9/11CNET interview with NYSE's chief technology officer Roger Burkhardt
Were most of the trading firms in the area that connect with your systems all up and running by 9:30 am on Monday (September 17)? Were there any from outside or in the area unable to participate in trading that morning? We had lost a lot of telephone lines that bring in data to our computer centers and also voice lines to the floor, which would have meant that we would not have had full access by all members. That raised some public policy issues, particularly for the retail investor; if their broker-dealer is the one who doesn't have connectivity, they would be disadvantaged.
"I think September 11 was the biggest challenge that our technical team has had to face in recent years." So NYSE faced a connectivity issue on a uniquely massive scale?There was a connectivity issue that affected not just our market, but all markets. There was also the fact that there were a number of firms that were scrambling to get into their back-up facilities. A number of large firms like Morgan Stanley and Merrill Lynch were affected. And then there were firms like Goldman Sachs, just down the street from here, who were like us in that their building was undamaged. In fact, the Merrill Lynch building was also undamaged, but they were just not allowed to come in because the authorities quite rightly wanted to focus on rescue operations. That affected all the markets. Clearly, if you want a market, you want it to be a fair market, with breadth of access. You don't want one retail investor to not be able to get through to sell or buy.
So by Monday, how did you manage to connect all the firms that connect to your systems? We worked with member firms for the balance of that week to help them re-establish connectivity. We worked very closely with Verizon, whose staff did a tremendous job. We have a subsidiary called Securities Industry Automation Corporation. It's been around for over 25 years and provides data processing and communications capabilities for the securities industry. It was initially set up by the NYSE and the American Stock Exchange, but also provides services to a broader part of the industry--for example, market data systems for equities and options. It also is the collection point for all the post trade information for all instruments. What is important about that is that because so many of us use them, they have telephone lines coming in from everybody. They play this hub role where they can effectively use communications set up for one purpose in an emergency to recover something else.
"With the potential for cyber threats, the advice I get is, 'Don't tell anyone about anything we are using.'" What other platforms are you using? I just used that as an example that we are not a trailing edge adopter. And I am a little sad about this because I enjoy talking about a bunch of technologies here from many great companies like HP, IBM and others. But with the potential for cyberthreats, the advice I get is, "Don't tell anyone about anything we are using. “
Business Operations
Computer Operations are a subset of business operations
Case Studies
CS 9.3 to 9.7 pp. 195-202Question: Can you recognize the control weaknessesWhat is the ‘Risk’ from inadequate control in each.
Practicum:
Fraud Risk &The Internal Control Environment
Cendant Corporation