Information Systems Operations

IS Operations (Chapter 9)Practicum: Cendant Corporation

What are ‘Operations’

Development and TestProductionOutsourcing and Utility Computing

Two Components

Or you might consider them two sides to one system

Business Operations All the tangible physical things that go on in a corporation

Computer Operations

Business & Computer Operations

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

I n te r n a l C o n tr o lM em o

J o u r n al E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

C o m p u terS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

B us i ne s s O pe r at i o ns

The P ar al l e l (L o g i c al )W o r l d o f C o m pute r O pe r at i o ns

L ed g er s :D atab as es

Inte r nal C o ntr o l R e vi e wO ve r O pe r at i o ns

C o r p o r a te L aw

Measu rm

en t / P o s tin g

Mea su rem

en t / P o s tin g

Computer Operations

Only a subset of business operations are computerized (automated)

Computers do the following well: High-speed arithmetic operations Storage and search of massive quantities of data Standardization of repetitive procedures

All other Business Operations require human intervention

Human Intervention

Even computer operations require human intervention at some level E.g., turning the computer on and off

In both business and computer operations Human interventions demand the most auditing

Automation & Operations Objectives

Operations should be about following predetermined procedures

The appeal rests largely on the ability to reduce or alter the role of people in the process

The intent is to take people out of the loop entirely, Or to increase the likelihood that people will do what they are

supposed to do, and that they do it accurately People are flexible and clever We sometimes don’t want to take people out of the loop on a lot

of systems The problem is when a lot of things break at the same time.

There’ll probably be a few things that are hard to fix, a cascade of effects.

Computerized procedures

Fully automated (computerized) procedures Can be audited once with a small data set And these results can be considered to hold over time

@ Boeing?

The ‘Glass House’

Mass Storage

Z Microsystems TranzPacs Shared chassis - shared peripherals. Less space, less weight, less power, less cost. Hot-swappable sealed computer modules

(SCM) and disk modules. Mix & match platforms and OS's. Independent stand-alone systems. Shared peripheral clusters.

Mass Storage at NASA

Server Farms

Audit H

ere!

Systems Life Cycle

Resource U

se

T im e

R eq u ir em en tsS p ec if ic a tio n

D es ig n & P r o g r am m in g

T es tin g

R eleas e

P r o d u c tio n

Replacem

ent

Operations ObjectivesWhat to look for in an audit

Production jobs are completed in time Output (information) are distributed on time Backup and recovery procedures are adequate

(requires risk analysis) Maintenance procedures adequately protect

computer hardware and software Logs are kept of all changes to HW & SW

Case Study: Manual versus Automated Scheduling

pp. 187-189Question: Why is automation important?

Backup and Recovery Objectives Best Practices

Determination of appropriate recovery and resumption objectives for activities in support of critical markets. Core organizations should develop the capacity to recover and resume activities within

the business day on which the disruption occurs. The overall goal is to resume operations within two hours

Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives. back-up sites should not rely on the same infrastructure components used by the

primary site, and back-up operations should not be impaired by a wide-scale evacuation or

inaccessibility of staff that services the primary site

Routine use or testing of recovery and resumption arrangements. Testing should not only cover back-up facilities of the firm,

but connections with the markets, third party service providers and customers

Connectivity, functionality and volume capacity should be covered.

How Does Backup & Recovery Fit into your Risk Assessment Framework?

Your Toolkit: Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy

Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)

Primary OS OwnerApplication

Asset Value ($000,000 to Owner)*

Transaction Flow Description

Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description

Probability of Occurrence (# per Year)

Cost of single occurrence ($)

Expected Loss

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23 Theft 100 100 10000

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23

Obsolescence and spoilage 35 350 12250

Bu s in es s Ap p lic a t io nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r t in g R is k s( E x te r n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x te r n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th e r s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

Prioritizing Backup & Recovery Tasks

Find the critical transactions (High value; High volume)

Identify the critical applications for processing these transactions

Identify the critical personnel including those you may not have hired or defined jobs for Who are essential to processing these transactions

Case Study: NYSE after 9/11CNET interview with NYSE's chief technology officer Roger Burkhardt

Were most of the trading firms in the area that connect with your systems all up and running by 9:30 am on Monday (September 17)? Were there any from outside or in the area unable to participate in trading that morning? We had lost a lot of telephone lines that bring in data to our computer centers and also voice lines to the floor, which would have meant that we would not have had full access by all members. That raised some public policy issues, particularly for the retail investor; if their broker-dealer is the one who doesn't have connectivity, they would be disadvantaged.

"I think September 11 was the biggest challenge that our technical team has had to face in recent years." So NYSE faced a connectivity issue on a uniquely massive scale?There was a connectivity issue that affected not just our market, but all markets. There was also the fact that there were a number of firms that were scrambling to get into their back-up facilities. A number of large firms like Morgan Stanley and Merrill Lynch were affected. And then there were firms like Goldman Sachs, just down the street from here, who were like us in that their building was undamaged. In fact, the Merrill Lynch building was also undamaged, but they were just not allowed to come in because the authorities quite rightly wanted to focus on rescue operations. That affected all the markets. Clearly, if you want a market, you want it to be a fair market, with breadth of access. You don't want one retail investor to not be able to get through to sell or buy.

So by Monday, how did you manage to connect all the firms that connect to your systems? We worked with member firms for the balance of that week to help them re-establish connectivity. We worked very closely with Verizon, whose staff did a tremendous job. We have a subsidiary called Securities Industry Automation Corporation. It's been around for over 25 years and provides data processing and communications capabilities for the securities industry. It was initially set up by the NYSE and the American Stock Exchange, but also provides services to a broader part of the industry--for example, market data systems for equities and options. It also is the collection point for all the post trade information for all instruments. What is important about that is that because so many of us use them, they have telephone lines coming in from everybody. They play this hub role where they can effectively use communications set up for one purpose in an emergency to recover something else.

"With the potential for cyber threats, the advice I get is, 'Don't tell anyone about anything we are using.'" What other platforms are you using? I just used that as an example that we are not a trailing edge adopter. And I am a little sad about this because I enjoy talking about a bunch of technologies here from many great companies like HP, IBM and others. But with the potential for cyberthreats, the advice I get is, "Don't tell anyone about anything we are using. “

Business Operations

Computer Operations are a subset of business operations

Case Studies

CS 9.3 to 9.7 pp. 195-202Question: Can you recognize the control weaknessesWhat is the ‘Risk’ from inadequate control in each.

Practicum:

Fraud Risk &The Internal Control Environment

Cendant Corporation