Delivery in day(s): 5
MIS101 Management Information System Oz Assignments
Purpose of investigation and significance
The use of information technology IT has become an essential aspect of modern organizations. For an organization to provide reliable and secure strategies for access to its information technology systems, it must establish a clear frameworks-based policy for managing its operations (Oleszek, 2013). For the scenario in this particular essay, a Control, Objectives for Information and Related Technology (COBIT) will be the most appropriate for IT governance. This document shall first of all explore COBIT before it formulate the pertinent policy for managing IT functions in the organization.
COBIT involves a framework for formulating, developing, implementing as well as monitoring and improving the governance and management of information technology IT. This framework was developed by the Information System Audit and Control Association (ISACA) to be an aiding tool for IT management and allow for bridging between technical issues, control requirements, and business risks (De Haes, Van Grembergen, & Debreceny, 2013). This framework provide a common language for IT oriented organizations to communicate with one another concerning policy development, implementation and monitoring that is essential in managing organizations.
The original version of COBIT was published in the year 1996, this version primarily focused on auditing. The current version (published in 2013), however, give emphasis to the value information governance is essential for an organization to achieve its business goals. However, organizations rarely implement this essential framework despite the fact that it is a fundamental concept in the conceptualization of this critical aspect.
Moreover, as critical concerns in conceptualization on the information system department of many organizations is that of the policy, there exist a considerable amount of semantic confusions regarding the plans still. Policy is often used synonymously with strategy. In the eyes of Weimer and Vining (2017), procedures are referred to as guidelines for implementing a plan. Walsh’s view, on the other hand, holds policy as the expression as well as guiding images for a strategy. All in all, appropriate COBIT framework-based policies and procedures for management of IT functions are of great significance in every organization that utilizes IT in managing its operations as COBIT is currently used by nearly all IT department managers to equip them with a promising model that provides value to the business. As a consequence, I will establish the appropriate COBIT framework-based policies for managing the IT functions in light of the following scenario.
I am an IT manager at King and Queen Hotel Suites located in New Zealand, which is one of the top rated five hotels in the country. I must maintain records of customer entries and their departure as well as the attendance records of staffs and their pay scale database, resources, tax returns, and documents. I also plan, organize and maintain all duties pertaining to camera records and staff duty schedules on a daily basis.
At the King and Queen Hotel, we need a formal IT governance that will aid in King and Queen Hotel activities, especially in user control access area. Implementing a strategic approach in governing information system in the King and Queen Hotel will complement the current information management system if the organization is to achieve its objectives. One critical issue missing in the current information system governance within the IT department is the accessibility to a comprehensive set of pertinent COBIT frame-work based policies for managing IT functions within the IT department of the organization (Al Omari, Barnes, & Pitman, 2012; Zhang, & Le, 2013). As such, the organization needs a well-defined procedure that will govern its IT staffs in their operations.
Analysis of literature
This section presents a survey of articles regarding pertinent COBIT framework-based policies for managing functionalities of an IT department in organization, these works provide a prior knowledge required to start the policy development process.
In the past decades, IT-dependent organizations changed from commodity service providers to a strategic partner. Loorbach (2010) expounds that organizations that use IT tools for their operations are now seen to be increasing their business growth instead of expenses. The primary goal for the IT governance in every organization is to ensure that the investment in IT sector generates values as it mitigates some risks which might come along with it (Loorbach 2010). This can get accomplished by implementing an IT organization structure with appropriate policies governing the responsibility of information, infrastructure, business resources and software applications among others.
Information system has frequently been upgrading its software and hardware over the years to keep the pace of the technology trends. A study by Laudon, K.C. and Laudon, J.P. (2016) suggest that the technological environment of the information system in organizations has become not only sophisticated but also diversified. The information system may consist of many servers, operating system for the servers, operating system for computers, hardware platform for PCs, office automation software, software update services, and system management servers among others (Laudon, K.C., and Laudon, J.P., 2016). Considering the vast amount of system to manage, it is worth noting that a proper IT management policies are essential for the system maintenance including software updates.
IT system security
The primary goal for IT system security is to protect the information that is valuable for an organization. The resources may include both hardware and software as well as skilled personnel (Bulgurcu, Cavusoglu, & Benbasat, 2010). Security is a very crucial component of the information system of an organization; it helps organizations in meeting their missions and business objectives by safeguarding its physical and legal positions, reputations, and employees, financial and other tangible as well as intangible resources.
The IT system security begins and ends with the individuals within an organization as well as the people interacting with the system intentionally or by coincidence (Ifinedo, 2012). The author further cite that the weakest link in the security chain could be the end users who try to access the information that is protected by security professionals. Security administrators can significantly reduce these risks level that is caused by end users and provide more security profiles that are more acceptable and supportable to the users (Ren, Wang, C., & Wang, Q., 2012; Peltier, 2013). By implementing these measures, alongside relevant policies and training, the performance of end-user can significantly improve thus ensuring security within the information system.
Policy development procedure
During the policy development, the needs of the Kings and Queens Organization will determined, on basis of this, a draft will be made after which the final policy will be available for the organization after approval.
Policy control areas
At the King and Queen Hotel, the policy framework is formulated to govern the following major information technology general system areas:
1. Data management
2. IT system security
Exploring the policy framework
After designing the basic policy framework, a list of draft of the policy framework was formulated with the help of question: What is our responsibility as IT staffs in King and Queen’s hotel? This question will provided the base upon which the policies of the organization will lie to ensure the compliance of the control objects (Alfaraj, & Qin, 2011; Petruch, Stantchev, & Tamm, 2011). The procedures within the policy were further developed with aid of the following question: How are we supposed to carry out our responsibilities in the organization? This question will be handy when it comes to development of various procedures within the organization to ensure that pertinent functions are linked to the organization’s original control objective (Chaudhuri, 2011).
To ensure that the policy is coherent with the organization’s control objectives and consistent with appropriate COBIT control areas, the first version of the policy will be reviewed for adequacy and will be compared with the policy content as well as the risk management framework. Afterwards, subsequent refinement of the policy will be made in accordance with IT and in cooperation with COBIT control objectives. The IT management policy will be available for the King and Queen Hotel after passing through various iterations including IT management and internal audits.
As identified earlier, the user access area was determined as the crucial element in the top-node of the Kings and Queens Organization policy framework. Since COBIT framework will be used for this policy, user access management shall be used as a supplement to access control. The management control objective of user access control will make reference to the user account’s life cycle in accordance with hires, amendments as well as terminations (Ifinedo, 2012; Peltier, 2013). Making use of the Kings and Queen organization’s current existing access control policy as well as COBIT control objectives. Afterwards, a general which will be a resulting first draft of the user access control policy will be formulated as follows according to Bernroider, & Ivanov, (2011).
ES1: Ensure System Security
Information has always become an asset in every organization which utilize IT in its daily operations, including the Kings and Queens Hotel. Since information is vulnerable to attack, there is need for the organization to develop a policy framework to protect the sensitive information of the organization and make it appear at the competitive edge in the market. As such the following policy will be adopted by the Kings and Queens Organization:
All parties shall adhere to the policies including but not limited to the organization’s policies defined in the following subsections to ensure security of the system.
ES1.1: Ensure IT system security
Normally, the main target in every attack incidents is an organization’s information system; this is where all sensitive information of the King and Queen Hotel are stored, it therefore needs maximum protection. Following this rationale, the following policy will apply:
The Kings and Queens organization IT staffs shall manage the security of the system at the highest organizational behaviour level such that the management of security actions is coherent with the business goals of the organization.
ES1.2: Security incident definition
Understanding what a security incident entails is a essential to be well conversant with the It security policy, therefore, the meaning of security incident needs to be made clear to the IT staffs in King and Queen Organization by classifying the potential security threats; without understanding security incidents, one may not be able to decide how it should be handled and what controls should get executed. To mitigate such situations the following policy will be used:
The IT staff shall clearly define security incident and be well conversant with potential security threats so that they can be classified easily and treated by incident and problem management process on the off chance that they occur.
ES1.3: Security plan
A strategic planning regarding information security is a worthwhile strategy that should be considered by every department in the King and Queen hotel; a well-defined plan can help the organization to mitigate, accept or avoid the information risk which is related to not only its users but also the organization’s employees. Following this rationale, the following policies will be adopted by the Kings and Queens Hotel IT staff:
The King and Queen Organization IT professional shall translate the business, risk as well as the compliance necessities to put into place the overall information system security plan taking into account the security culture and infrastructure of the organization.
The King and Queen Hotel IT team shall ensure that the plan is adopted in the security policy as well as procedures along with pertinent investment in services, hardware, and software and pass the system security policies and procedures to the organization’s stakeholders as well as customers.
ES1.4: User account management
The organization’s user accounts system are to be used for the business activities of the corporation and not for personal activities. As such, there is need to monitor the activities of user accounts and therefore the following policy will apply:
The King and Queen IT professionals shall address issues related to but not limited to establishment, requesting, modifying, issuing, and closing user accounts as well as user related privileges with a predefined procedures for managing user accounts.
ES1.4: Back and forth transfer of sensitive data
In many occasions, data will be transferred between internal departments and third party service providers at Kings and Queens Organization amid business activities. Considering that the data transfer always get accompanied by data breach, the following policy will mitigate the risks that may be experienced during data transfer:
The IT department shall ensure exchange of sensitive information only over a trusted media in order to offer the authenticity of the data, non-repudiation of the source, proof of receipt, and proof of submission.
The related procedures of the policy will then be developed by asking the question like: how should we do it? Specific measures regarding the notification of separation, recording of separation and implementation of separation will be formulated and get refined in order to complete the final copy of the policy (Loorbach, 2010; Routray, Sharma, Uttamchandani, & Verma, 2012). The development of the refined draft of the user control access policy will require the use of COBIT framework after which the policy will be ready to be executed by the organization.
The primary objective of this study was to establish appropriate framework-based policies for managing the information technology in King and Queen Hotel, in New Zealand. Fifty questionnaires were distributed to IT staffs in the organization. The response rate was 95%. This section will present the findings of the study.
The respondents including the organization’s IT staff were asked whether the COBIT framework for information management would change their work performance as IT professionals of the King and Queen Hotel. These findings consider only respondents who showed that the establishment of a COBIT framework would increase the functionality of the IT system for the business organization.
Of the six control areas that were listed in the questionnaire, two major areas were identified to be having a response rate of 96%. The fields are stated as follows: IT system security 97%, and IT data management 95%. Similarly, Hu, Dinev, Hart, and Cooke (2012) expound that a system governed by a well outlined framework-based policies guarantees the confidentiality of data as well as protection of all IT resources within an organization, this improves the functionality of the organization.
At a glance, from findings of this study, a conclusion regarding the implementation of COBIT framework in the King and Queen Hotel, New Zealand IT department can be drawn. The results of the study cite that implementation of the relevant framework-based policies will improve the IT functions within the King and Queen Hotel.
IT system security and IT data management were indicated as the four major control areas that need to be given priority in establishing the organization policy. The organization’s IT department policy cannot be overlooked as it is a critical aspect of the organization’s operation since the IT department manages all the sensitive information of the business organization.
It can be concluded from this study that the employees of the King and Queen Hotel have realized the importance of having a clear policies governing the organization’s IT department. Since appropriate procedures governs all operations regarding IT management team, therefore, it can be inferred that the IT staff of the King and Queen Hotel contend that COBIT framework-based policies are the most effective means by which the organization’s operations can be managed. As a result, I, as the manager of the organization’s IT department can explicitly demonstrate the rationale for establishment of the pertinent policies that are appropriate for the organization in collaboration with other IT staffs as well as the organization’s manager.
1. Al Omari, L., Barnes, P. H., & Pitman, G. (2012, December). Optimising COBIT 5 for IT governance: examples from the public sector. In Proceedings of the ATISR 2012: 2nd International Conference on Applied and Theoretical Information Systems Research (2nd. ATISR2012). Academy of Taiwan Information Systems Research.
2. Alfaraj, H. M., & Qin, S. (2011). Operationalising CMMI: integrating CMMI and CoBIT perspective. Journal of Engineering, Design and Technology, 9(3), 323-335.
3. Bernroider, E. W., & Ivanov, M. (2011). IT project management control and the Control Objectives for IT and related Technology (CobiT) framework. International Journal of Project Management, 29(3), 325-336.
4. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.
5. Chaudhuri, A. (2011). Enabling effective IT governance: Leveraging ISO/IEC 38500: 2008 and COBIT to achieve business–IT alignment. Edpacs, 44(2), 1-18.
6. De Haes, S., Van Grembergen, W. and Debreceny, R.S., 2013. COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems, 27(1), pp.307-324.
7. Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615-660.
8. Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95.
9. Laudon, K. C., & Laudon, J. P. (2016). Management information system. Pearson Education India.
10. Loorbach, D. (2010). Transition management for sustainable development: a prescriptive, complexity?based governance framework. Governance, 23(1), 161-183.
11. Oleszek, W. J. (2013). Congressional procedures and the policy process. Sage.
12. Peltier, T. R. (2013). Information security fundamentals. CRC Press.
13. Petruch, K., Stantchev, V., & Tamm, G. (2011). A survey on IT-governance aspects of cloud computing. International Journal of Web and Grid Services, 7(3), 268-303.
14. Ren, K., Wang, C., & Wang, Q. (2012). Security challenges for the public cloud. IEEE Internet Computing, 16(1), 69-73.
15. Routray, R. R., Sharma, U., Uttamchandani, S. M., & Verma, A. (2012). U.S. Patent No. 8,121,966. Washington, DC: U.S. Patent and Trademark Office.
16. Walsh, C. E. (2017). Monetary theory and policy. MIT press.Weimer, D. L., & Vining, A. R. (2017). Policy business analysis: Concepts and practice. Routledge. Available at: <https://trove.nla.gov.au/work/8676611> [Accessed on 3rd September, 2018]
17. Zhang, S., & Le, F. H. (2013). An Examination of the Practicability of COBIT Framework and the Proposal of a COBIT-BSC Model. Journal of Economics, 1, 5