Enterprise Information Systems(EIS)

Enterprise System or Enterprise Information System(EIS) is an Integrated

Information System that is capable of supporting the Business Processes and
Functions of large organizations.

Let’s simplify the above definition by breaking down the crucial words:
Business processes and functions
The main business processes and functions common to most enterprises are:
● Accounting and Finance
● Production and Manufacturing
● Marketing
● Human Resources
● Customer Support
● Logistics and Inventory

Information System
An Information System is a collection of different components working together to
collect, process, store and distribute data and information. The 5 main
components of an Information System are:
1. Hardware
2. Software
3. Data
4. Networks
5. People and Procedures

‘Integrated’ Information System

In the definition above, we use the term ‘Integrated’ with Information Systems.
That is because Enterprise Information Systems are generally a combination of
one or more of the following systems:
● Enterprise Resource Planning(ERP)
● Customer Relationship Management(CRM)
 ● Supply Chain Management(SCM)
● Knowledge Management(KM)
● Product Lifecycle Management(PLM)
● Human Resource Management(HRM) etc.

In other words, an Enterprise Information System is a set of one or more

Large-Scale Application-Softwares that can efficiently manage Large Volumes of
Data and Support Business Processes, Information Flow, Data Analytics,
Reporting, etc at the Enterprise Level.

Why do organizations need Enterprise Information

Systems?
There are multiple reasons for any organization to use Enterprise Information
Systems. The two main reasons are as follows:

1. Islands of Information
2. Mission-critical data from the Legacy Systems
1. Islands of Information
There are multiple Departments in an organization. For example Production,
Accounting, Marketing, Supplier Management, Customer Support, etc. All of these
Departments produce a large volume of information independently. In such cases,
the Information from each Department is isolated from each other. This forms
Islands of Information or Information Island.

Information Islands are problematic for organizations. The Data needs to be shared
among the Departments on a regular basis. And this sharing is done by Enterprise
Systems.

For Example, The Marketing, Sales, and Accounting Departments constantly

need to share data with each other for the Smooth and Efficient Business
Process to happen. If this sharing is done with traditional methods, the Business
Process will slow down. If, however, Enterprise Systems are used, the Data will be
shared smoothly.

2. Mission-critical data from the Legacy Systems

As technology evolves, the old ones get outdated. The Database and Software
Applications that have been used for decades, reach End-of-Life (can’t be updated
anymore). The Data in the Legacy Systems is Mission-Critical and is the Wealth of an
Enterprise. Thus, the critical data has to be stored in the Data-warehouse and
integrated with the Current System. And this can be achieved by Enterprise
Systems.

Popular Software Applications for Enterprise

Systems
There are hundreds of vendors in the market who supply Softwares for Enterprise
Systems. The most popular ones are:

● SAP
● Oracle NetSuite
● Salesforce
● Datapine
● Microsoft Dynamics

Besides, an organization may also develop a Customized System Softwares specific

to their requirements.

Advantages of Enterprise Information Systems(EIS)

Real-time Access to Data

Enterprise System provides instant access to Information as well as Data.

Sharing of Enterprise Data

Sharing of Data among Departments results in Faster Business Processes. Thus, it
increases efficiency as well as profitability.

Automation of Business Processes

Be it Inventory Management, Logistics, or Customer Services, all Business Processes
can be automated to a large extent with minimal Human intervention. This leads to
enhanced productivity.

Report Generation and Data Analysis

The Reports(Spreadsheets, Statistical Values, Graphs, etc) auto-generated by
Enterprise Softwares are more Accurate and Reliable than the ones generated
manually. It also helps in Data Analysis and Planning accordingly.

Besides, organizations can achieve Data Security, Enhanced Data Quality, Employee
Satisfaction, and Increased Loyalty from the Customers. These benefits certainly
lead to Competitive Advantages.

Disadvantages of Enterprise Information

Systems(EIS)
Implementation is costly
Change management is difficult
Experts and highly trained employees are needed
Security Risks

Enterprise Resource Planning

Enterprise Resource Planning(ERP) is a system that organizations use to manage
their business processes and functions. This management is done by using a suite
of application software called ERP software.

It integrates the data from all the Departments in an organization into a Central
Database thus streamlining the business processes and making data sharing
easier.

Why do organizations use ERP?

Before answering Why do organizations use or need ERP software, let’s see a
typical business process in an organization.

He is Mr. John.

1. Mr. John makes an order to a fictional company Dhangadhi Unicorn Enterprises.

The Sales Department Receives the Order.
2. Sales Department Checks if the Products in Order are available in Inventory. If
Available, then the Sales Team fulfills Mr. John’s Order.
3. However, if the Products are not available in Inventory, the Sales Team has to
enquire the Production Department. The Production Department now wants to
start the process of Manufacturing for which it needs the Raw Materials. Thus it
contacts the Finance and Purchase Department.

4. The Purchase and Finance Departments work together to Procure the Raw
Materials from the Vendor.
5. As the Purchase Department makes the Raw Materials available to the
Production Department, it manufactures the Products and informs the Inventory
Department. Inventory now gets back to the Sales Department.
6. The Sales Department now fulfills the order of Mr. John.

Revisiting the above process, we can see how complicated things could get if the
Data is not integrated in real-time among the Departments.
With the above approach, the following are the major problems:
● The customer satisfaction is low due to the delay. The customer may even
cancel his order.
● The cost of the business process is higher due to manual communication.
● Inconsistent and Duplicated data in multiple departments due to lack of
Real-time Updates.

Let’s see another scenario where our company Dhangadhi Unicorn Enterprises is
using an ERP and there is a Shared Integrated Database.
Unlike the previous system, the Business Processes are Streamlined here. The
presence of the “Central Shared Database” makes the Business Processes
Smoother and Faster. This Centralized Database is also referred to as the “Single
Source of Truth”.

If Mr. John makes an order to the Sales Department, they can check the ERP’s
Central Database directly instead of going through the hassle of contacting other
Departments. If the ordered Products are not available, they can create a
requirement in the Central Database which is immediately visible to the Production
Department. The Production Department will now immediately notify the Purchase
and Finance Department through the same Central Database. The required Raw
Materials will be procured through the Vendor who is again connected to the ERP’s
Integrated Database. This makes the business process Streamlined and Faster.

Characteristics of ERP Applications

● ERP Applications link Enterprise’s Internal and External Business Processes
together.
 ● ERP brings together the Front Office and Back Office.
● ERP Applications integrate different components and thus bring silos of
Information together.
● ERPs integrate Business Processes, including, Sales, Manufacturing, Finance,
Human Resources, Supply Chains, and Customer Support Services.

Benefits of ERP
● Streamlining of Enterprise’s Daily Operations.
● Automation of Business Processes.
● Reduction in Erroneous and Inconsistent Data.
● Increased Accuracy, Efficiency, and Productivity.
● Optimized Purchase, Sales, and Production.
● Reduction in Operational Cost.
● Higher Customer Satisfaction.
● Better Planning for Manufacturing and Other Departments.
● Reporting and Data Analysis which helps in Decision Making.
● Data and Network Security.
● Competitive Advantages.

Disadvantages of ERP
Initially, the Implementation is Difficult and Costly.
Change Management: Transition from older to a new system.

Supply Chain Management (SCM) Systems

Supply chain management (SCM) is the efficient management of the flows of
material, data, and money in the supply chain. SCM software refers to software that
supports the steps in the supply chain - manufacturing, inventory control,
scheduling, and transportation. SCM software concentrates on improving
decision-making, forecasting, optimization, and analysis. SCM software is
configured to achieve the following business goals:

● To reduce uncertainty and variability in order to improve the accuracy of

forecasting
 ● To increase control over the processes in order to achieve optimal inventory
levels, cycle time, and customer service

The benefits of SCM have long been recognized in business, government, and the
military. In today's competitive business environment, efficient, effective supply
chains are critical to survival and fully dependent on SCM software, which depends
on up-to-date and accurate data. If the network goes down or data is outdated,
those managing the supply chain are mostly working blind.

The use of RFID in the supply chain provides a major opportunity to reduce costs
and increase operating efficiencies. RFID can improve the efficiency of a supply
chain by improving data quality.

Figure: How RFID tags provide the data needed to manage the supply chain.

SCM Journey
The journey that a product travels, starting with raw material suppliers, then to
manufacturers or assemblers, then forward to distributors and retail sales shelves,
and ultimately to customers, is its supply chain. The supply chain is like a pipeline
composed of multiple companies that perform any of the following functions:
 ● Procurement of materials
● Transformation of materials into intermediate or finished products
● Distribution of finished products to retailers or customers
● Recycling or disposal in a landfill

Supply chains vary significantly depending on the type, complexity, and

perishability of the product. For example, in a simplified sense, the food supply
chain begins with the livestock or farm, moves to the manufacturer (processor),
then through the distribution centers and wholesalers to the retailer and final
customer. Track and trace technologies(eg: RFID tags) are being used to improve
food safety and reduce costs.

Supply chains involve the flow of materials, data, and money.

Descriptions of these three main flows are:

 1. Material or product flow: This is the movement of materials and goods
from a supplier to its consumer. For example, chipmaker Intel supplies
computer chips to its customer Dell. Dell supplies its computers to
end-users. Products that are returned make up what is called the reverse
supply chain because goods are moving in the reverse direction. For any
location on the supply chain, the immediate previous source is one-back and
the immediate subsequent recipient is one-up. For example, in the food
chain, each immediate previous supplier of food is a one-back and the
immediate subsequent recipient (customer) of the food product is the
one-up. For a manufacturer, raw material suppliers are one-back in the
supply chain while retailers are one-up in that chain.

2. Information flow: This is the movement of detailed data among members

of the supply chain, for example, order information, customer information,
order fulfillment, delivery status, and proof-of-delivery confirmation. Most
information flows are done electronically, although paper invoices or receipts
are still common for noncommercial customers.

3. Financial flow: This is the transfer of payments and financial arrangements;

for example, billing payment schedules, credit terms, and payment via
electronic funds transfer (EFT). EFT provides for electronic payments and
collections. It is safe, secure, efficient, and less expensive than paper check
payments and collections.

Supply chain links are managed. Think of the chain in terms of its links because the
entire chain is not managed as a single unit. A company can only manage the links
it actually touches. That is, a company will manage only partners who are one-back
and one-up because that's the extent of what a company can manage.

Managing On-demand Activities

The current business environment contains the elements of an on-demand
enterprise with real-time operations. To review those concepts:
On-demand enterprise
The concept of an on-demand enterprise is based on the premise that
manufacturing or service fulfillment operations will start only after an order is
received. We also refer to this approach as build-to-order. Enterprises have added
this approach to their traditional produce-to-stock manufacturing. As the term
indicates, produce-to-stock is the manufacture of products to stockpile inventory so
the company is ready to respond to future demand. An obvious example of
produce-to-stock is automobile dealerships, which have huge inventories of
vehicles on their lot.

On-demand and real-time processes

An on-demand process in the fulfillment cycle is one that is primed to respond to
real-time conditions. There will be no backorders, safety stock, lag time, or excess
inventory. This principle is not fully achievable, but it is the direction that high-tech
companies are headed in. Laptop and netbook manufacturers build-to-order as
much as possible to reduce inventory, holding, and obsolescence costs. Inventory
holding costs can greatly add to the cost of a product and narrow the profit margin.

These on-demand concepts have revolutionized the design and management of

supply chains. To achieve on-demand and real-time processes, companies must
reengineer their supply chain and add SCM to their ERP capabilities.

Customer Relationship Management (CRM) Systems

Every company depends on customers for revenues and growth. Marketing
managers run campaigns, promotions, commercials, and advertisements to attract
new customers, or increase sales to existing customers, or do both. Attracting new
customers is expensive; for example, it costs banks roughly $100 to acquire a new
customer. Newly acquired customers are unprofitable until they have purchased
enough products or services to exceed the cost to acquire and service them.
Therefore, retaining customers that generate revenues in excess of the costs (e.g.,
customer service, returns, promotional items, and the like) is critical - and the
underlying reason for customer relationship management (CRM). CRM refers to the
methodologies and software tools to leverage customer information in order to
achieve the following:
● Build greater customer loyalty and therefore greater profitability per
customer
● Deter customer attrition (loss of a customer)
● Acquire new customers who are most likely to become profitable
● Up-sell (sell more profitable products/services) or cross-sell (sell additional
products/services) to unprofitable customers to move them to a profit
position
● Reduce inefficiencies that waste advertising dollars
The purpose of frequent-purchase programs offered by airlines, supermarkets,
credit card issuers, retailers, casinos, and other companies is to track customers for
CRM purposes and build customer loyalty to improve financial performance.

According to management guru Peter Drucker, "Those companies who know their
customers, understand their needs, and communicate intelligently with them will
always have a competitive advantage over those that don't." For most types of
companies, marketing effectiveness depends on how well they know their
customers; specifically, knowing what their customers want, how best to contact
them, and what types of offers they are likely to respond to positively. According to
the loyalty effect, a 5 percent reduction in customer attrition can improve profits by
as much as 20 percent. Customer-centric business strategies strive to provide
products and services that customers want to buy. One of the best examples is the
Apple iPhone and iPod - devices that customers were willing to camp out on
sidewalks to buy to guarantee to get one on the day of their release. In contrast,
companies with product-centric strategies need to create demand for their
products, which is more expensive and may fail.

CRM IS MULTICHANNEL
CRM is implemented across multiple sales channels.
Dell Computer uses direct mail, e-mail, media advertising, and the Internet in
combination with personal contacts by sales representatives and special intranet
Web sites for large Dell accounts to stay connected with its customers.
Barnes & Noble's (BN.com) multichannel strategy allows customers to browse and
buy products at any of its stores or online. The "Readers Advantage" loyalty
program offers customers additional discounts and benefits. 1-800-FLOWERS.com
uses e-mail, Web sites, telephone, retail stores, and catalogs to deploy its
multichannel marketing strategies. The company's customer-centric focus has
enabled it to achieve up to 35 percent growth for several years.

CRM IS AN ENTERPRISEWIDE INITIATIVE

CRM is an enterprise-wide effort to acquire and retain profitable customers. CRM
focuses on building long-term and sustainable customer relationships for the
purpose of increasing the company's profitability. A common misconception about
CRM is that it's about providing services and perks to delight or keep customers
happy. As the Travelocity example shows, CRM is a data-driven, fact-based business
strategy to select and manage customers to optimize sales and profit.

Key components of CRM are described below:

● Customers
● Call center
● Marketing department
● Sales department
● Customer support
CRM is basically a simple idea: Treat different customers differently according to
their current or potential value to the company. CRM involves much more than just
sales and marketing because a firm must be able to change how its products are
configured or its services are delivered based on the needs of individual customers
or customer segments. Smart companies encourage the active participation of
customers in the development of products, services, and solutions.

eCRM
There's one key advancement created by Web 2.0 that organizations must force
themselves to recognize: "Your customers have the technology, too, and if you
don't deliver a customer experience that's of value to them, they will let the
community know."
CRM has been practiced manually by corporations for generations. However, since
the mid-1990s, various types of information technologies have enhanced CRM. CRM
technology is an evolutionary response to changes in the business environment,
making use of new IT devices and tools. The term e-CRM (electronic CRM) was
coined in the mid-1990s when businesses started using Web browsers, the Internet,
and other electronic touchpoints (e-mail, POS terminals, call centers, and direct
sales) to manage customer relationships. E-CRM covers a broad range of topics,
tools, and methods, ranging from the proper design of digital products and services
to pricing to loyalty programs.

Through Internet technologies, data generated about customers can be easily fed
into marketing, sales, and customer service applications for analysis. Electronic
CRM also includes online applications that lead to segmentation and
personalization. The success of these efforts can be measured and modified in
real-time, further elevating customer expectations. In a world connected by the
Internet, e-CRM has become a requirement for survival, not just a competitive
advantage.

Loyalty programs are programs that recognize customers who repeatedly use the
services (products) offered by a company. A well-known example is the airlines'
frequent-flyers program. Casinos use their players' clubs to reward their frequent
players. Many supermarkets use some kind of program to reward frequent
shoppers, as do many other companies. These programs include some kind of
database (or data warehouse) to manage the accounting of the points collected and
the rewards. Analytical tools such as data mining are then used to explore the data
and learn about customer behavior.

CRM SUCCESSES AND FAILURES

As with many IT innovations, initially, there were numerous CRM failures, which
have been reported in the media. Some of the major issues relating to CRM failures
are the following:

● Failure to identify and focus on specific business problems that the CRM can
solve.
● Lack of active senior management (non-IT) sponsorship.
● Poor user acceptance. This can occur for a variety of reasons, such as unclear
benefits - that is, CRM is a tool for management, but it may not help a rep sell
more effectively - and usability problems.
● An attempt to automate a poorly defined business process in the CRM
implementation.

Example of a Failure. Citizen National Bank's experience is an example of a failure,

changing the CRM vendors, and then a success. The lessons learned, at a cost of
$500,000, were:

● Be absolutely clear about how the CRM application will add value to the sales
process.
● Determine if and why salespeople are avoiding CRM.
● Provide incentives for the sales team to adopt CRM.
● Find ways to simplify the use of the CRM application.
● Adjust the CRM system as business needs change.

Justifying e-CRM
One of the biggest problems in CRM implementation is the difficulty of defining and
measuring success. Additionally, many companies say that when it comes to
determining value, intangible benefits are more significant than tangible cost
savings. Yet companies often fail to establish quantitative or even qualitative
measures in order to judge these intangible benefits.
A formal business plan must be in place before the e-CRM project begins - one that
quantifies the expected costs, tangible financial benefits, and intangible strategic
benefits, as well as the risks. The plan should include an assessment of the
following:

Tangible net benefits

The plan must include a clear and precise cost-benefit analysis that lists all of the
planned project costs and tangible benefits. This portion of the plan should also
contain a strategy for assessing key financial metrics, such as ROI, NPV, or other
justification methods.
Intangible benefits
The plan should detail the expected intangible benefits, and it should list the
measured successes and shortfalls. Often, an improvement in customer
satisfaction is the primary goal of the e-CRM solution, but in many cases, this key
value is not measured.

Risk assessment
The risk assessment is a list of all of the potential pitfalls related to the people,
processes, and technology that are involved in the e-CRM project.
Having such a list helps to lessen the probability that problems will occur. And, if
they do occur, a company may find that, by having listed and considered the
problems in advance, the problems are more manageable than they would have
been otherwise.

Tangible and Intangible Benefits

Benefits typically include increases in staff productivity (e.g., closing more deals,
avoiding costs, increasing revenues, and increasing margins) as well as reductions
in inventory costs (e.g., due to the elimination of errors). Other benefits include
increased customer satisfaction, loyalty, and retention.
Potential Pitfalls and Risks of e-CRM
● Taking on more than can be delivered. The e-CRM solution should target
specific sales or service business functions or specific groups of users.
Additionally, it is essential to manage the project's scope, goals, and
objectives throughout the project development phase and deployment.
● Getting over budget and behind schedule.
● Poor user adoption. Ease of use and adequate training are essential.
● Expensive maintenance and support.
● Isolation. The effectiveness of a project may suffer if the CRM data is not
used throughout the company.
● Garbage in–garbage out (GIGO). Because e-CRM systems require so much
data entry, users often put in placeholders, misguided estimates, or
inaccurate information, which leads to poor analytical results and
decision-making errors.
● Failure to measure success. Measurement of pre-project status and
post-project achievements is essential for a company to show success.

On-Demand CRM
Like several other enterprise systems, CRM can be delivered in two ways:
on-premises and on-demand. The traditional way to deliver such systems was
on-premises - meaning users purchased the system and installed it on site. This
was very expensive, with a large upfront payment. Many SMEs (small and
medium-sized enterprises) could not justify it, especially because most CRM
benefits are intangible.

The solution to the situation is to lease the software. Salesforce.com pioneered the
concept for its several CRM products, including supporting salespeople, under the
name of On-Demand CRM, offering the software over the Internet. The concept of
on-demand is known also as utility computing or software-as-a-service (SaaS).
On-demand CRM is basically a CRM hosted by a vendor on the vendor's premises,
in contrast to the traditional practice of buying the software and using it on site.
On-demand CRM must be weighed against the following implementation problems:

● Service providers can go out of business, leaving customers without service.

● It is difficult, or even impossible, to modify hosted software.
● Upgrading could become a problem.
● Relinquishing strategic data to a hosting vendor can be risky.
● Integration with existing software may be difficult.

The benefits are:

● Improved cash flow due to savings in the up-front purchase
● No need for corporate software experts
● Ease of use with minimal training
● Fast time-to-market
● Vendors' expertise available

Knowledge Management (KM) Systems

Forrester Research and IBM estimated that up to 85 percent of a company's
knowledge is not stored in databases. Knowledge is dispersed in social media,
e-mail, texts, intranets, Word documents, spreadsheets, and presentations on
individual computers and mobile devices. Knowledge typically is unstructured and
has strong experiential and reflective elements that distinguish it from information
in a given context.

KNOWLEDGE
Having knowledge implies that it can be used to solve a problem, whereas having
information does not. The ability to act is an integral part of being knowledgeable.
For example, two people in the same context with the same information may not
have the same ability to use the information with the same degree of success.
There is a difference in the human capability to add value. The differences in ability
may be due to different experiences, different training, different perspectives, and
other factors.
Whereas data, information, and knowledge may all be viewed as assets of an
organization, knowledge provides a higher level of meaning about data and
information. It conveys meaning and tends to be much more valuable, yet more
ephemeral.
In the IT context, knowledge is very distinct from data and information. Whereas
data is a collection of facts, measurements, and statistics, information is organized
or processed data that is timely and accurate. Knowledge is information that is
contextual, relevant, and actionable.

KNOWLEDGE MANAGEMENT (KM)

Knowledge management (KM) is a process that helps organizations identify,
select, organize, disseminate, and transfer important information and expertise
that are part of the organization's memory. The goal of KM systems is to identify,
capture, store, maintain, and deliver useful knowledge in a meaningful form to
anyone who needs it, anyplace and anytime, within an organization. KM systems
support sharing, decision making, and collaborating at the organization level
regardless of location.
KM initiatives focus on identifying knowledge, explicating it in such a way that it can
be shared in a formal or systematic manner, and leveraging its value through reuse.
Through a supportive organizational climate and IT, an organization can bring its
entire organizational memory and knowledge to bear upon any problem anywhere
in the world and at any time. For organizational success, knowledge, as a form of
capital, must be exchangeable among persons, and it must be able to grow. Knowledge
about how problems are solved can be captured, so that KM can promote
organizational learning, leading to further knowledge creation.
For example, a map giving detailed driving directions from one location to another
could be considered data. An up-to-the-minute traffic bulletin along the freeway
that indicates a traffic slowdown due to construction could be considered
information. Awareness of an alternative, the back-roads route could be considered
knowledge. In this case, the map is considered data because it does not contain
current relevant information that affects the driving time and conditions from one
location to the other. However, having the current conditions as information is
useful only if the individual has knowledge that will enable him or her to avoid the
construction zone. Having knowledge implies that it can be used to solve a
problem, whereas having information does not carry the same connotation.

Figure: Data, information, and knowledge.

KM Systems. Knowledge management systems (KMSs) refer to the use of the

Internet, intranets, extranets, LotusNotes, software filters, agents, and data
warehouses to systematize, enhance, and expedite intra- and interfirm knowledge
management. KMSs are intended to help an organization cope with turnover, rapid
change, and downsizing by making the expertise of the organization's human
capital widely accessible. They are being built in part from increased pressure to
maintain a well-informed, productive workforce. They also help organizations retain
the knowledge of departing employees. Many organizations have been building KM
systems in order to capitalize on the knowledge and experience of employees
worldwide.

KM Systems Cycle
A functioning KMS follows six steps in a cycle. The system is cyclical because
knowledge is acquired and refined over time. The cycle works as follows:
Create knowledge. Knowledge is created as people determine new ways of doing
things or develop know-how. Sometimes external knowledge is brought in.

Capture knowledge
New knowledge must be identified as valuable and be represented in a reasonable
way.

Refine knowledge
New knowledge must be placed in context so that it is actionable. This is where
human insights (tacit qualities) must be captured along with explicit facts.

Store knowledge
Useful knowledge must then be stored in a reasonable format in a knowledge
repository so that others in the organization can access it.
Manage knowledge
Like a library, the knowledge must be kept current. It must be reviewed to verify
that it is relevant and accurate.
Disseminate knowledge
Knowledge must be made available in a useful format to anyone in the organization
who needs it, anywhere and anytime.

Information security
Information security (infosec, for short) is about the risk to data, information
systems, and networks. These incidents create business and legal risks.

Business risks: For example, when operations are disrupted.

Legal risks: For example, privacy laws are violated.

Protecting Data and Business Operations

Network security

● Firewalls
● Encryption
● Antivirus
● Antispam
● Anti-spyware

Besides technology defenses, protecting data and business operations involves all
of the following:

● Making data and documents available and accessible 24/7 while

simultaneously restricting access
● Implementing and enforcing procedures and acceptable use policies for
company-owned data, hardware, software, and networks
 ● Promoting secure and legal sharing of information among authorized
persons and partners
● Ensuring compliance with government regulations and laws
● Preventing attacks by having network intrusion defenses in place
● Detecting, diagnosing, and reacting to incidents and attacks in real-time
● Maintaining internal controls to prevent manipulation of data and records
● Recovering from business disasters and disruptions quickly

Like the prior list shows, business policies, procedures, training, and disaster
recovery plans, as well as technology all, play a critical role in IT security. IT security
covers the protection of information, communication networks, and traditional and
e-commerce operations to assure their confidentiality, integrity, availability, and
authorized use.

IT Security Terms

Term Definition

Threat Something or someone that may result in harm to an

asset

Risk Probability of a threat exploiting a vulnerability

Vulnerability A weakness that threatens the confidentiality,

integrity, or availability (CIA) of an asset

CIA triad The three main principles of IT security

(confidentiality,
integrity,
availability)
Exploit Using a tool or technique to take advantage of a
vulnerability

Risk management Process of identifying, assessing, and reducing risk to

an acceptable level

Exposure The estimated cost, loss, or damage that can result if a

threat exploits a vulnerability

Access control Security feature designed to restrict who has access to

a network, IS, or data

Countermeasure Safeguard implemented to mitigate (lessen) risk

Audit The process of generating, recording, and reviewing a

chronological record of system events to determine
their accuracy

Encryption Transformation of data into scrambled code to

protect it from being understood by unauthorized
users

Plaintext or Readable text

clear-text

Ciphertext Encrypted text

Authentication Method (usually based on username and password)

by which an IS validates or verifies that a user is really
who he or she claims to be
Malware (short for A generic term that refers to a virus, worm, Trojan
malicious horse, spyware, or adware
software)

Scareware, also Programs that pretend to scan a computer for viruses

known as and then tell the user the computer is infected in
rogueware or fake order to convince the victim to voluntarily provide the
antivirus software credit card information to pay $50 to $80 to "clean"
the PC. When the victims pay the fee, the virus
appears to vanish, but the machine is then infected by
other malicious programs. It is one of the
fastest-growing and most prevalent types of Internet
fraud.

Biometrics Methods to identify a person based on a biological

feature, such as a fingerprint or retina

Perimeter security Security measures to ensure that only authorized

users gain access to the network

Endpoint security Security measures to protect endpoints, e.g.,

desktops, laptops, and mobile devices

Firewall Software or hardware device that controls access to a

private network from a public network (Internet) by
analyzing data packets entering or exiting it

Packet A unit of data for transmission over a network with a

header containing the source and destination of the
packet
IP address An address that uniquely identifies a specific
(Internet Protocol computer or other devices on a network
address)

Public key A system based on encryption to identify and

infrastructure (PKI) authenticate the sender or receiver of an Internet
message or transaction

Intrusion detection A defense tool used to monitor network traffic

system (IDS) (packets) and provide alerts when there is suspicious
traffic or to quarantine suspicious traffic

Router A device that transfers (routes) packets between two

or more networks

Fault tolerance The ability of an IS to continue to operate when a

failure occurs, but usually for a limited time or at a
reduced level

Backup A duplicate copy of data or programs kept in a

secured location

Spoofing An attack carried out using a trick, disguise, deceit, or

by falsifying data

Denial of service An attack in which a system is bombarded with so

(DoS) or many requests (for service or access) that it crashes or
Distributed denial cannot respond
of service (DDoS)
 Zombie An infected computer that is controlled remotely via
the Internet by an unauthorized user, such as a
spammer, fraudster, or hacker

Spyware Stealth software that gathers information about a

user or a user's online activity

Botnet (short for A network of hijacked computers that are controlled

Bot network) remotely—typically to launch spam or spyware. Also
called software robots. Botnets are linked to a range
of malicious activities, including identity theft and
spam.

IS Vulnerabilities and Threats

Every enterprise has information that profit-motivated criminals (who may be
across the globe or maybe trusted employees) want to, and may actually attempt
to, steal and/or sell. The opening case about HSBC Private Bank demonstrates why
IT security risks are business risks. Those risks can stem from insiders, outsiders,
cybercriminal organizations, or malware. Malware is short for malicious software,
referring to viruses, worms, Trojan horses, spyware, and all other types of
disruptive, destructive, or unwanted programs. Threats range from high-tech
exploits to gain access to a company's networks and databases to non-tech tactics
to steal laptops and whatever else is available.

In general, IT security measures have focused on protecting against outsiders and

malware. While controlling physical and remote access to databases and networks
is still challenging, a majority of data breaches involve some sort of insider error or
action - either intentional or unintentional. That is, the greatest infosec risks are
employees and managers. Companies suffer tremendous losses from fraud
committed by employees. It's a widespread problem that affects every company,
regardless of size, location, or industry.

IT security is so integral to business objectives that it cannot be treated as a

stand-alone function. Failures have a direct impact on business performance,
customers, business partners, and stakeholders—and can lead to fines, legal action,
and steep declines in stock prices as investors react to the crisis.

Internal Threats
Threats from employees, referred to as internal threats, are a major challenge
largely due to the many ways an employee can carry out malicious activity. Insiders
may be able to bypass physical security (e.g., locked doors) and technical security
(e.g., passwords) measures that organizations have in place to prevent
unauthorized access. Why? Because defenses such as firewalls, intrusion detection
systems (IDS), and locked doors mostly protect against external threats. As you
have read, incidents that cause the greatest damages or losses are those carried
out by insiders. Despite the challenges, insider incidents can be minimized with a
layered defense strategy consisting of security procedures, acceptable use policies,
and technology controls.

Unintentional Threats
● Human errors can occur in the design of the hardware or information
system. They can also occur during programming, testing, or data entry. Not
changing default passwords on a firewall or failing to manage patches create
security holes. Human errors also include untrained or unaware users
responding to phishing or ignoring security procedures. Human errors
contribute to the majority of internal control and infosec problems.
● Environmental hazards include volcanoes, earthquakes, blizzards, floods,
power failures or strong fluctuations, fires (the most common hazard),
 defective air conditioning, explosions, radioactive fallout, and
water-cooling-system failures. In addition to the primary damage, computer
resources can be damaged by side effects, such as smoke and water. Such
hazards may disrupt normal computer operations and result in long waiting
periods and exorbitant costs while computer programs and data files are
re-created.
● Computer systems failures can occur as the result of poor manufacturing,
defective materials, and outdated or poorly maintained networks.
Unintentional malfunctions can also happen for other reasons, ranging from
lack of experience to inadequate testing.
Intentional Threats

Theft of data
Inappropriate use of data
Data tampering
DoS/DDoS attacks
Viruses, worms, and Trojan horses
Theft of mainframe computer time
Theft of equipment and/or programs
Labor strikes, riots, or sabotage
Malicious damage to computer resources
Destruction from viruses and similar attacks
And miscellaneous computer abuses and Internet fraud

Fraud, Crimes, and Violations

Crime can be divided into two categories depending on the tactics used to carry it
out:

1. Violent
 2. Nonviolent

Fraud is a nonviolent crime because instead of a gun or knife, fraudsters use

deception and trickery. Fraudsters carry out their crime by abusing the power of
their position or by taking advantage of the trust, ignorance, or laziness of others.

FRAUD
Occupational fraud refers to the deliberate misuse of the assets of one's
employer for personal gain. Internal audits and internal controls are essential to
the prevention and detection of occupation fraud. High-profile cases of
occupational fraud committed by senior executives.

Types and Characteristics of Organizational Fraud

his Fraud
Fraud Financial Characteristics
ents?

ng management off the books. Median loss due to

on on: over six times greater than median
to misappropriation ($530,000 vs.
)

of interest h of confidentiality, such as revealing

tors' bids; often occurs with bribery

sitional power or money to influence

 ement or ployee theft - employees' access to
ropriation" y property creates the opportunity for
ement

management financial a massive breach of trust and

g fraud ng of positional power

ing cycle fraud ud is called "earnings management" or

engineering, which is in violation of
enerally accepted accounting
es) and all other accounting practices.

Information Assurance and Risk Management

The objective of IT security management practices is to defend all of the
components of an information system, specifically data, software applications,
hardware, and networks. Before they make any decisions concerning defenses,
people responsible for security must understand the requirements and operations
of the business, which form the basis for a customized defense strategy. In the next
section, we describe the major defense strategies.

DEFENSE STRATEGY

The defense strategy and controls that should be used depend on what needs to be
protected and the cost-benefit analysis. That is, companies should neither
underinvest nor overinvest. The SEC(Securities and Exchange Commission) and
FTC(Federal Trade Commission) impose huge fines for data breaches to deter
companies from underinvesting in data protection. The following are the major
objectives of defense strategies:
 1. Prevention and deterrence. Properly designed controls may prevent errors
from occurring, deter criminals from attacking the system, and, better yet,
deny access to unauthorized people. These are the most desirable controls.
2. Detection. As with a fire, the earlier an attack is detected, the easier it is to
combat and the less damage is done. Detection can be performed in many
cases by using special diagnostic software, at a minimal cost.
3. Containment (contain the damage). Containment minimizes or limits
losses once a malfunction has occurred. It is also called damage control. This
can be accomplished, for example, by including a fault-tolerant system that
permits operation in a degraded mode until full recovery is made. If a
fault-tolerant system does not exist, a quick and possibly expensive recovery
must take place. Users want their systems back in operation as fast as
possible.
4. Recovery. A recovery plan explains how to fix a damaged information
system as quickly as possible. Replacing rather than repairing components is
one route to fast recovery.
5. Correction. Correcting the causes of damaged systems can prevent the
problem from occurring again.
6. Awareness and compliance. All organization members must be educated
about the hazards and must comply with the security rules and regulations.
A defense strategy also requires several controls. General controls are established
to protect the system regardless of the specific application. For example, protecting
hardware and controlling access to the data center is independent of the specific
application. Application controls are safeguards that are intended to protect
specific applications. In the next two sections, we discuss the major types of these
two groups of information systems controls.

GENERAL CONTROLS
The major categories of general controls are physical controls, access controls,
biometric controls, administrative controls, application controls, and endpoint
controls.
Physical Controls Physical security refers to the protection of computer facilities
and resources. This includes protecting physical property such as computers, data
centers, software, manuals, and networks. It provides protection against most
natural hazards as well as against some human hazards. Appropriate physical
security may include several controls, such as the following:

Figure: Major defense controls.

● Appropriate design of the data center; for example, ensuring that the data
center is noncombustible and waterproof
● Shielding against electromagnetic fields
● Good fire prevention, detection, and extinguishing systems, including
sprinkler systems, water pumps, and adequate drainage facilities
 ● Emergency power shutoff and backup batteries, which must be maintained
in operational condition
● Properly designed, maintained, and operated air-conditioning systems
● Motion detector alarms that detect physical intrusion
Access Controls Access control is the management of who is and is not authorized
to use a company's hardware and software. Access control methods, such as
firewalls and access control lists, restrict access to a network, database, file, or data.
It is the major defense line against unauthorized insiders as well as outsiders.
Access control involves authorization (having the right to access) and
authentication, which is also called user identification (proving that the user is who
he or she claims to be).

Authentication methods include:

● Something only the user knows, such as a password

● Something only the user has, such as a smart card or a token
● Something that is characteristic only of the user, such as a signature, voice,
fingerprint, or retinal (eye) scan; implemented via biometric controls, which
can be physical or behavioral
Biometric Controls A biometric control is an automated method of verifying the
identity of a person, based on physical or behavioral characteristics. Most biometric
systems match some personal characteristic against a stored profile. The most
common biometrics are the following:

● Thumbprint or fingerprint. Each time a user wants to access, a thumb- or

fingerprint (finger scan) is matched against a template containing the
authorized person's fingerprint to identify him or her.
● Retinal scan. A match is attempted between the pattern of the blood vessels
in the retina that is being scanned and a prestored picture of the retina.
● Voice scan. A match is attempted between the user's voice and the voice
pattern stored on templates.
 ● Signature. Signatures are matched against the prestored authentic
signature. This method can supplement a photo card ID system.
Biometric controls are now integrated into many e-business hardware and software
products. Biometric controls do have some limitations: They are not accurate in
certain cases, and some people see them as an invasion of privacy.
Administrative Controls While the previously discussed general controls are
technical in nature, administrative controls deal with issuing guidelines and
monitoring compliance with the guidelines.

Application Controls Sophisticated attacks are aimed at the application level, and
many applications were not designed to withstand such attacks. For better
survivability, information-processing methodologies are being replaced with agent
technology. Intelligent agents, also called softbots or knowbots, are highly
adaptive applications. The term generally means applications that have some
degree of reactivity, autonomy, and adaptability - as is needed in unpredictable
attack situations. An agent is able to adapt itself based on changes occurring in its
environment.
In the next section, the focus is on the company's digital endpoints and the
perimeter—the network. We discuss the security of wireline and wireless networks
and their inherent vulnerabilities.
Endpoint Security and Control Many managers underestimate the business risk
posed by unencrypted portable storage devices, which are examples of endpoints.
Business data is often carried on thumb drives, smartphones, and removable
memory cards without IT's permission, oversight, or sufficient protection against
loss or theft. Handhelds and portable storage devices put sensitive data at risk.
According to market research firm Applied Research-West, three of four workers
save corporate data on thumb drives. According to their study, 25 percent save
customer records, 17 percent store financial data, and 15 percent store business
plans on thumb drives, but less than 50 percent of businesses routinely encrypt
those drives and even less consistently secure data copied onto smartphones.
Portable devices that store confidential customer or financial data must be
protected no matter who owns it - employees or the company. If there are no
security measures to protect handhelds or other mobile/portable storage, data
must not be stored on them because it exposes the company to liability, lawsuits,
and fines. For smaller companies, a single data breach could bankrupt the
company.

Representative Administrative Controls

● Appropriately selecting, training, and supervising employees, especially in
accounting and information systems.
● Fostering company loyalty.
● Immediately revoking access privileges of dismissed, resigned, or transferred
employees.
● Requiring periodic modification of access controls (such as passwords).
● Developing programming and documentation standards (to make auditing
easier and to use the standards as guides for employees).
● Insisting on security bonds or malfeasance insurance for key employees.
● Instituting separation of duties, namely, dividing sensitive computer duties
among as many employees as economically feasible in order to decrease the
chance of intentional or unintentional damage.
● Holding periodic random audits of the system.

IT risk management
IT risk management includes securing corporate systems while ensuring their
availability; planning for disaster recovery and business continuity; complying with
government regulations and license agreements; maintaining internal controls; and
protecting the organization against an increasing array of threats such as viruses,
worms, spyware, and other forms of malware. In general, risk management is both
expensive and inconvenient. Many users, for instance, complain about being forced
to use strong passwords (i.e., at least 10 characters and must contain a digit and
special character) that aren't easy to remember.
Managers have a fiduciary responsibility (legal and ethical obligation) to protect the
confidential data of the people and partners that they collect, store and share. To
comply with international, federal, state, and foreign laws, companies must invest
in IT security to protect their data, other assets, the ability to operate, and net
income. Losses and disruptions due to IT security breaches can seriously harm or
destroy a company both financially and operationally. As the effectiveness of the
technology and tactics used by cybercriminals—people who commit crimes using
the Internet—increases, so do the costs (and inconveniences) of staying ahead of
deliberate attacks, viruses, and other malware infections, and unintentional errors.

Network Security

Network Security is the process of taking physical and software preventative

measures to protect the underlying networking infrastructure.
The network has to be protected from unauthorized access, misuse, malfunction,
modification, or improper disclosure, etc.
We need a secure platform for computers, users, and programs to perform their
permitted critical functions within a secure environment which is guaranteed by the
Network Security.
Network security is typically handled by a network administrator or system
administrator who implements the security policy, network software, and hardware

Data and Message security

There are thousands of forces trying to access or alter the confidential data being
transferred from one system to another. Data security means protecting such data
from those evil forces.
Data and message security make sure our data is prevented from unauthorized
users and thus protects it from any harmful actions.

Reasons for data and message security

The implementation of data and message security is required because of the
following reasons.

● When people perform banking and other financial transaction by PCs over a
network the data should remain confidential.
● Hacking techniques like packet sniffing is a major threat to data security.
● Unauthorized people are constantly trying to access the data over a network.

Firewall
A firewall is a network security system, either hardware- or software-based, that
uses rules to control incoming and outgoing network traffic.
A firewall acts as a barrier between a trusted network and an untrusted network. A
firewall controls access to the resources of a network through a positive control
model. This means that the only traffic allowed onto the network is defined in the
firewall policy; all other traffic is denied.

Types of firewalls

Packet firewalls
The earliest firewalls functioned as packet filters, inspecting the packets that are
transferred between computers on the Internet. When a packet passes through a
packet-filter firewall, its source and destination address, protocol, and
destination port number are checked against the firewall's ruleset. Any
packets that aren't specifically allowed onto the network are dropped (i.e., not
forwarded to their destination). For example, if a firewall is configured with a rule to
block Telnet access, then the firewall will drop packets destined for TCP port
number 23, the port where a Telnet server application would be listening.

Stateful firewalls
In order to recognize a packet's connection state, a firewall needs to record all
connections passing through it to ensure it has enough information to assess
whether a packet is the start of a new connection, a part of an existing
connection, or not part of any connection. This is what's called "stateful packet
inspection."
This additional information can be used to grant or reject access based on the
packet's history in the state table, and to speed up packet processing; that way,
packets that are part of an existing connection based on the firewall's state table
can be allowed through without further analysis. If a packet does not match an
existing connection, it's evaluated according to the rule set for new
connections.

Application-layer firewalls
As attacks against Web servers became more common, so too did the need for a
firewall that could protect servers and the applications running on them, not
merely the network resources behind them. Application-layer firewall technology
first emerged in 1999, enabling firewalls to inspect and filter packets on any OSI
layer up to the application layer.

The key benefit of application-layer filtering is the ability to block specific content,
such as known malware or certain websites, and recognize when certain
applications and protocols -- such as HTTP, FTP, and DNS -- are being misused.

Proxy firewalls
Firewall proxy servers also operate at the firewall's application layer, acting as an
intermediary for requests from one network to another for a specific network
application. A proxy firewall prevents direct connections between either side of the
firewall; both sides are forced to conduct the session through the proxy, which can
block or allow traffic based on its ruleset. A proxy service must be run for each type
of Internet application the firewall will support, such as an HTTP proxy for Web
services.

Cryptography
Cryptography is the study of hiding information, and it is used when
communicating over an untrusted medium such as the internet, where information
needs to be protected from other third parties.

Modern cryptography concerns itself with the following four objectives:

1) Confidentiality (the information cannot be understood by anyone for whom it
was unintended)

2) Integrity (the information cannot be altered in storage or transit between

sender and intended receiver without the alteration being detected)

3) Non-repudiation (the creator/sender of the information cannot deny at a later

stage his or her intentions in the creation or transmission of the information)

4) Authentication (the sender and receiver can confirm each other’s identity and
the origin/destination of the information)

Encryption uses an algorithm called a cipher to encrypt data and it can be

decrypted only using a special key. The encrypted information is known as
ciphertext and the process of obtaining the original information (plaintext) from
the ciphertext is known as decryption. One of the two widely used encryption
methods is Public Key Encryption (the other being Symmetric Key Encryption).
The specialty of public-key encryption is that two different but mathematically
related keys called the public key and private key are used (as opposed to
symmetric key encryption, which uses the same private key for encryption and
decryption).

Business Continuity and Auditing

Fires, earthquakes, floods, power outages, and other types of disasters hit data
centers. Yet business continuity planning and disaster recovery capabilities can be a
tough sell because they do not contribute to the bottom line. Compare them to an
insurance policy: If and only if a disaster occurs, the money has been well spent.
And spending on business continuity preparedness can be an open-ended
proposition-there is always more that could be done to better prepare the
organization.

Disasters may occur without warning, so the best defense is to be prepared. An

important element in any security system is the business continuity plan, also
known as the disaster recovery plan. Such a plan outlines the process by which
businesses should recover from a major disaster. Destruction of all (or most) of the
computing facilities can cause significant damage. It is difficult for many
organizations to obtain insurance for their computers and information systems
without showing a satisfactory disaster prevention and recovery plan.

IT managers need to estimate how much spending is appropriate for the level of
risk an organization is willing to accept.

BUSINESS CONTINUITY PLANNING

Disaster recovery is the chain of events linking the business continuity plan to
protection and to recovery. The following are some key thoughts about the process:

● The purpose of a business continuity plan is to keep the business running

after a disaster occurs. Each function in the business should have a valid
recovery capability plan.
● Recovery planning is part of asset protection. Every organization should
assign responsibility to management to identify and protect assets within
their spheres of functional control.
● Planning should focus first on recovery from a total loss of all capabilities.

AUDITING INFORMATION SYSTEMS

An audit is an important part of any control system. Auditing can be viewed as an
additional layer of controls or safeguards. It is considered to be a deterrent to
criminal actions, especially for insiders. Auditors attempt to answer questions such
as these:
 ● Are there sufficient controls in the system? Which areas are not covered by
controls?
● Which controls are not necessary?
● Are the controls implemented properly?
● Are the controls effective? That is, do they check the output of the system?
● Is there a clear separation of duties of employees?
● Are there procedures to ensure compliance with the controls?
● Are there procedures to ensure reporting and corrective actions in case of
violations of controls?

Auditing a Website is a good preventive measure to manage legal risk. Legal risk
is important in any IT system, but in Web systems, it is even more important due to
the content of the site, which may offend people or be in violation of copyright laws
or other regulations (e.g., privacy protection). Auditing e-commerce is also more
complex since, in addition to the Web site, one needs to audit order taking, order
fulfillment, and all support systems.