Home‎ > ‎

Business Informatics

Practical business informatics management[1]

Several best practice methodologies, models, frameworks and standards, for example ITIL, CobiT, ISO 20000 have been developed to manage emerging business informatics requirements.

Information Systems comprise the development, use, and impact of information and communication technologies (ICT). Rising complexity and heterogeneity of technology infrastructure and enterprise applications, as well as expanding options of information system provision, have contributed to management complexity. Outsourcing of select applications and services significantly increase the number of stakeholders and business relationships of a company.

Management has come to expect improved effectiveness and reduced costs associated with IT provision. Base methodologies that are process-oriented are CobiT, CMMi, ISO/IEC 20000, ITIL and TOGAF. Detailed comparison in [TSO. ITIL: Introduction to the ITIL Service Lifecycle. London. The Stationary Office, 2007].

A recent survey among Czech organisations has indicated relatively low adoption level of mentioned process-oriented methodologies, and an overall perception of their benefits being limited. ITIL, the most adopted methodology is utilised by 53% of Czech companies, even as only 6% have fully implemented it. 53% of these companies do not utilise CobiT at all, while 12% apply it exclusively for strategic IT management. As per the survey, of 600 mostly medium sized company respondents in the Czech Republic conducted in 2010, the most significant reason for low level of methodology adoption is complexity, excessive cost of implementation, and considerable overheads on IT practitioners and their professional qualifications.

Chief Information Officers (CIO) have a major role in ensuring continuous development and innovation of both IT applications and IT infrastructure. IT leadership issues comprise a suitable allocation of responsibility and authority in relation to IT, effective use of human resources, and IT effectiveness through Monitoring and Evaluation.

The major findings of the survey were,

1.       The main objective of business informatics management was to maximize support of business activities through alignment of business needs and business informatics functions.

2.       Companies need to consider all external and internal factors affecting them

3.       Management of Business Informatics should follow appropriate standards, methodologies, methods, and apply suitable metrics to determine quality and performance of processes, while ensuring documentation and expertise

4.       Information systems should be developed and operated at reasonable cost corresponding to the role of IT in the organisation, while acknowledging that minimizing costs may not be in the best long-term interest of the organisation

5.       Monitoring existing applications and new projects, and real effects is essential for focusing on strategic impact

6.       Strategically important applications need to be identified and given priority

7.       Innovation in informatics must follow IT market developments and the current status of business partners and competitors

8.       Cooperation between departments, the IT department and external providers must be based on service contracts and Service Level Agreements (SLA)

9.       Choosing the appropriate operational model, whether outsourcing, cloud computing etc., must involve evaluating costs savings at an acceptable level of risk, and allocation of adequate resources

10.   Technology security and reliability must be assured at a reasonable cost

11.   The qualifications of end-user and IT practitioners must be developed systematically

12.   Management should plan for a shortage of IT specialists in the short-term

Management of Business Informatics (MBI) Model

A Model was developed by the Department of Information Technologies, University of Economics, Prague based on the results of an IT management survey, extensive literature review, analysis of existing standards, methods and frameworks, as well as general knowledge from consulting project across organisations.

Objectives

The primary objective is to provide support for IT management activities by,

1.       Documenting and analysing existing systems

2.       Designing and implementing improved management systems

3.       Advising on best practice relating to strategy, budgets, concrete structure and wording of SLAs for application services, etc.

Principles

The key principles are,

1.       Supports the business strategy, in defining strategic applications of business informatics, as well as in monitoring IT investment

2.       Controls for all key elements of the Information System,

a.       Required functionality inclusion

b.       Availability, timeliness, accuracy and trustworthiness of required functions and information

c.       Compliance with legislation

d.       Reliability

e.       User-friendliness

f.        Security

g.       Flexibility

h.       Openness

i.         Integrity

j.         Standardization

k.       Performance

l.         Effectiveness

3.       Recoding all responsibilities and authorities in the context of business informatics

4.       Informatics management based on a coherent system of metrics that evaluate all IT services, IT processes and IT resources

5.       Provision of various levels of detail (granularity) of management tasks and metrics corresponding to the requirements of the organisation

6.       Rapid response to new business informatics needs, their content and functionality

7.       A modular deployment ensures limited implementation, allowing addressing areas or departments most in need of enablement, while maximizing impact on organisation performance

8.       Integral to the model is a summarisation of relevant practical experience

Management Domains

1.       Strategic Management

2.       Management of IT Services

3.       Management of IT resources

4.       Management of IT economics

5.       Management of IT Development

6.       Management of IT operations

Each task has several attributes, ID, ID of task variant, author and update data, are used for identification.

Task can be defined in variants.

Each task comprises content expressed as goal, purpose, and content.

Task comprises activities expressed at various levels of granularity, core activities, high-level process, detailed process.

Task-related classes,

1.       Documents. Either a tool of business informatics, e.g. project plan, project objective, or provides a solution, e.g. test scenario, tender document

2.       Scenario. Typical issues.

3.       Application. Software for a given task.

4.       Metrics. Based on dimensional modelling, as indicators and analytical dimension. Determine Key Performance Indicators (KPI) or Key Goal Indicators (KGI) of tasks. E.g. IT operating costs have dimensions of IT services, IT applications. Or, individual business units, have metrics on operating costs of individual service for each business unit. Data sources for metrics measurement must be available and accessible internally, so cost of access do not exceed benefit.

5.       Methods. Formalises processes and guidelines to fulfil goals of tasks.

6.       Roles. Responsibilities of an assignee. E.g. CIO, Operations Manager, Project Manager, IT Architect, etc. Roles are linked to individual tasks using the responsibility matrix, Responsible, Accountable, Consulted and Informed (RACI).

7.       Factors. Manner of task execution. E.g. organisation size, industry sector, organisation type (public or private). E.g. tender preparation for supply of IT services, depends on the organisation type, as legislation is different for public institutions.

Business Informatics Features

1.       Functionality

2.       Availability, Timeliness, Accuracy, Trustworthiness of required functions and information

3.       Compliance with legislations

4.       Reliability

5.       User-friendliness

6.       Security

7.       Flexibility

8.       Openness

9.       Integrity

10.   Standardisation

11.   Performance

12.   Effectiveness

 

Task classes (doors)

Models

1.       Generic. Captures proven management practices and practical experiences in the form of tasks, documents, methods, metrics and other objects

2.       Specific. Organisation in a particular sector, automotive, banking, public administrative etc. Created in the profiling process

3.       IT management for Organisation X. Created by customising a Specific Model.


Figure 1. MBI model type

Principles of design-science IS research[2]

·         IT Governance is a CIO top-10 issue

·         Frameworks lack scientific viewpoint, are complex and overlap

·         Approach, Design Science Research, in two phases, build and evaluate. Unlike behaviour research, design-oriented research develops a to-be concept, for building a system with reference to a model, taking into account restrictions and limitations.

o   Constructs.

§  Describe problem domain and terminology.

§  Contingency factors definition

§  General implementation guidelines

§  Governance and management views.

o   Models

o   Methods

o   Instantiations

Compliance principles for design-science research

1.       Abstraction

2.       Originality. Not in body of knowledge

3.       Justification. Methods proposed for evaluation, must justify it

4.       Benefit. Aligning governance, guidelines, differentiation and frameworks, must help the organisation

Governance

1.       Corporate Governance. System of direction and control. Responsibility delegated by stakeholders, defined by legislators and regulators, shared by the board with managers.

2.       Enterprise Governance. Responsibilities exercised by the board and executive managers, for strategic direction, for planning and execution, for proactive risk management, while utilizing resources optimally

3.       IT Governance. Sub-set of Enterprise and Corporate governance. While executives and managers administer, develop, implement and monitor business strategy, to make efficient delivery of IT services and products, boards and other governance structures decide policy, culture and direction, for performance and transformation in meeting current and future needs.

Frameworks

ITIL and CobiT lack a theoretical foundation from a scientific viewpoint[3]. They focus on Service Management. An official maturity model for ITIL v3 is in the works.

CMMI-SVC identifies 24 processes with several practices and sub-practices, and introduces a maturity model. It too lacks identification of contingency factors.

Contingency factors

·         Organisational culture. To make employees care about their organisation by managing IT workers and workplaces that reflect the interactions among groups of people with differing worldviews by taking them into account.

·         Structure. IT has broken down patterns of production management.

·         Strategy.

·         Size. Many small organisations lack standard project management practices. Size influences IT governance following from its effect on corporate governance.

·         Maturity. Much of IT is commoditised but some of it is specialized. Higher performing organisations have more mature structures and processes.

·         Ethics and trust. Ethical business practices rely on organisations committing to higher purposes than profits alone. Trust and cooperation are critical for addressing or minimizing governance failure[4]

Guidelines

Business performance seekers have sought to align IT and business priorities.

A well-structured Governance framework should be based on structures, processes and communication[5]. Through,

1.       structural (formal) devices and mechanisms for connecting business and ITM, i.e. decision making functions

2.       Processes, formal and institutionalized strategic IT decision making or IT monitoring procedures. Active participation and collaboration among corporate executives, ITM and business management, sustain business IT alignment.

3.       Inputs, outputs, roles and responsibilities collectively define processes. The effective management of IT resources, for enabling achieving goals, involves following IT processes.

4.       IT business alignment should be measured in situ. This involves measuring, evaluating and controlling alignment and process maintenance.

5.       The use of frameworks is encouraged

6.       Policy implementation requires procedure and practice definition and compliance, and methods of oversight, enforcement and an escalation or appeal process addressing waivers or other exemptions.

7.       A survey suggests that maintenance and upgrades constitute 80% of IT budgets, and 20% on new applications and capability. For effective IT governance, continuous design and improvement is necessary to transform and position IT for future business challenges.

 

Deming proposed that business processes should be analysed and measured to identify sources of variations that cause products to deviate from customer requirements. He recommended that business processes be placed in a continuous feedback loop, to let managers identify and change processes that need improvement. He created a simplified diagram to illustrate this continuous process, known as PDCA (Plan, Do, Check, Act).

A theory by Selig (2008)[6] describes a pragmatic planning process called pressure point analysis. He posits that IT planning is based on analyzing internal and external pressure points and trends, and on addressing six basic questions.

Build

Evaluate

Construct definition

Framework construction

Evaluation

Domain definition

Construct correlations

Literature review

Contingency factor definition

Integrate constructs

Interviews

IT Governance implementation guidelines

 

Mapped theories

 

Security in agreements

Extended organisations, with tightly coupled provider networks, create security management problems as it becomes difficult to maintain a holistic view of security across systems, technologies and resources in the entire network.[7]

A recognised approach to mitigate risk and enforce trust in B2B relationships is to formalise relationships in contracts. Umbrella agreements, or framework agreements, are chosen when complexity of relationships increase. While prescribing norms, they are sufficiently flexible to respond to unforeseen contingencies.

Quality of Service (QoS) thresholds, along with penalties, may be established in Service Level Agreements, to specify measurable standards. QoS parameters cover performance, availability and reliability, leaving undefined non-quantifiable security requirements for service assurance. Security SLAs, or Protection Level Agreements, cover the protection of data during its lifecycle. These address external insider threat risks.

External insider threats

1.       Identification of external insider roles for a part of the extended organisation through,

a.       Value modelling to limit the scope of analysis and companies involved

b.       Coordination modelling to understand business processes

c.       IT architecture modelling for an overview on systems and connections

d.       Identification of external insider roles and activities performed for the focal organisation

e.       Access matrix of the external insiders’ need-to-know requirements

f.        Reverse engineering of security best practices considering external insiders as sources of threats, and as enforcers of security on behalf of the focal organisation

Trust is central to B2B relationships. This involves B2B trust and business-to-individual trust between the focal organisation, outsiders, insiders and external insiders.

From the perspective of the trustor, who is expected to trust, trust is the belief that the trustee, who is expected to be trusted, will act as expected. From the perspective of the trustee, trust involves demonstrating trustworthiness to allow the trustor to estimate an objective well-founded probability. As the measurement of trust is difficult to determine and verify, an alternative is to minimise the need for trust by substituting it by assurance, such as contractual trust. Assurance is implemented through controls and is intended to reduce the risk that an outcome will not turn out.

Das & Teng (1998) suggest that trust and control should be supplementary and not complementary, where the higher the trust, the lower the need for controls and vice versa.

Controls are mechanism that provide security to a focal organisation and consist of policies, procedures, organisational structure, and technical controls.

Network theories from the Social Sciences imply that trust is transitive among humans. Granovetter (1973) argued that if A and B have strong ties, as do B and C, then there is an increased likelihood that A and C have at least weak ties. That is, they may be acquaintances. However, inter-organisational trust is not transitive. Increasingly, inter-organisational transitive trust is imposed, in a non-transparent chain of trust manner.

Identify Management and Access Management (IAM) are complementary. The former involves, provisioning, propagation, usage, maintenance, and de-provisioning.

 

Outsiders are individuals who are not trusted by a focal organisation. They may have unauthorised access to private assets or authorised access to public assets. They are subject to external controls enforced by an organisation.

Insiders are individuals trusted by an organisation that employs them. Access is granted to private assets. There may be legitimate need-to-know authorisation granting access for performing their duties, for instance, access to sensitive data, not only to read and write, but also to modify such data. Insiders are fully subject to internal controls, for example, hierarchical control, such as supervision and revision procedures, access control policies, such as separation of duties and dual control enforcement.

External Insiders are not trusted by a focal organisation. B2B relationships may be established through non-contractual agreements or joint ventures. They have authorised access to the private assets of focal organisations as they act on their behalves. External insiders are subject to some external and internal controls.

In the e3value model (Gordijn & Akkermans, 2003), manufacturers and retailers are actors, stakeholders with economic interests. Actors transact value objects through defined interfaces; value objects may be anything of value to the stakeholders, namely, tangible products, services, or non-tangible legal compliance documents.

Managerial perspective

Security threats increase sharply with the expansion of organisation boundaries in extended organisations. Risk management must respond by becoming extended-enterprise-wide, for a holistic view of interdependencies and vulnerabilities. This requires coordination between departments, for example. IT, legal, and business. This may be constrained by conflicts of interest and absence of transparency, required for risk management, as visibility may be limited to the focal organisation.

A company-trustor must rely on subjective indicators of trust to decide on B2B relationships. These indicators are multi-dimensional and may involve goodwill, that is, benevolence, integrity, and good faith, or competence that is reputation, experience, and statistics. Quantification of trust is difficult, and computation may involve trust graphs. Distributed control mechanisms are necessary across organisations, even as external insiders may be subject to controls across organisations.

Auditing provides a snapshot of processes carried out by a company, limited by scope, and may not reveal operational details. Monitoring allows access to detailed logs on insiders. A comprehensive overview of activities may only be attainable by correlating logs across organisations, to detect external insider misuse.

Internal expertise may be required to detect threats through audits, control exceptions and monitoring. Familiarity with internals, may allow detection of patterns of deviant use or abnormal behaviour. Loss of detail for analysis of third-party data is a recognised challenge in B2B partnerships.

Extended organisations may have numerous bilateral relationships forming complex networks of interdependencies. IT is challenging for a focal organisation gaining a holistic view of interdependencies, threats and vulnerabilities. Individual organisations typically do not have access to enough information about external insiders. A minimal level of security access across all interdependent actors is necessary and dependent on enforcing standards and monitoring security. Highly connected actors require reinforced protection.

Solutions to counter external-insider threats

Organisational controls and security mechanisms that work internally to detect and prevent classical insider threats, may not apply to counter external-insider threats. For example, user profiling and anomaly detection.

The Jericho-Forum (n.d.) took the view that threats may be mitigated by adopting a data-centric security view, by shifting complete system or infrastructure security to the data, that is storing data centrally together with enforcing policies determining its flow on trusted infrastructure. Its implementation feasibility may be questioned because of the overheads involved in classifying a lot of data in a finely granular manner.

Extended organisations may adopt federated authentication architectures. Individual organisations maintain control of identities and high-level mechanisms link these across interdependent organisations. This allows a focal organisation to limit itself to access management. It is feasible where there is a high-level of B2B trust related to identity management enforced by those federated. Security vulnerabilities resulting in false identities will break this system. Where there is no visibility on identity management of all actors of extended organisations, the focal organisation cannot assess the external insider threat. This risk can be mitigated by assurance, such as regular external audits, or permanent internal auditing. Audits for certification review evidence that processes comply with best practices, such as ISO/IEC 27001, or test internal controls, SAS70. However, successful audits do not translate to higher security.

Another approach is to rely on explicit third-party agreements in B2B contracts, that is Security SLAs. B2B contracts are often fairly abstract, leaving room for interpretation depending on context, which does not help address security concerns from external insiders.

While ISO/IEC 27002 specifies controls to promote security in extended organisations, the standard does not identify external insiders nor discuss security agreements. Practically, even security-conscious organisations have difficulty identifying individuals in extended organisations that may pose a threat.

A breadth-first top-down approach is proposed to extended organisation risk assessment, versus assessing system security directly in detail, or a depth-first approach, as is common in risk assessment. Insiders are part of an organisation, are on the payroll and their responsibilities and authorisations can be checked more easily, than external-insiders.

Challenge

Description

1

Trust and risk management are important to external insider risk assessment. A holistic view of interdependencies, of threats and vulnerabilities is necessary

2

Objective measurements of trustworthiness of associated organisations is fundamental for decision-making and sound trade-off analysis. For example, between trust, risk and expected gain from a B2B relationship

3

B2B contracts are often high-level and do not establish IT security agreements needed to counter the threat from external-insiders

4

Distributed logging makes auditing and monitoring of external insiders difficult

5

Certain third-party dependencies, such as outsourced technology services and infrastructure management, result in an inability to detect external insider threats

6

Internal controls that work for insiders do not work in the extended organisation, for example behaviour monitoring

7

Separation of the visibility of real people from their digital identities results in mismanagement of authorisations

8

Higher than need-to-know authorisation for external insiders may be difficult to detect and manage

9

Consensus on the semantics of roles and attributes for identify and access management across extended organisations necessitates agreement on interpretation in with fine granularity. This is aggravated by conflicts of interest

10

Minimum levels of security must be enforced across extended organisations. Highly connected organisations need higher security to reduce propagation of risks in the network. There are risks of knowledge sharing propagation.

 

External insider roles and their activities

1.       Value modelling to limit the scope of analysis and identify actors. Which actor provides something of value, to whom, and receives what in return.

2.       Coordination modelling to understand business processes. For example, using EDI (Electronic Data Interchange) documents are the basis for partner coordination in a value chain.

3.       IT architecture modelling for a system overview, and interconnections

4.       Identification of roles and activities of external insiders in focal organisations

5.       Access matrix for need-to-know requirements

6.       Reverse-engineering security best practices



[1] Jiri Vorisek, Jan Pour and Alena Buchalcevova. Management of business informatics model—principles and practices. E+M Ekonomie a Management. 18.3 (July 2015):p 160.Technical University of Liberec, 2015.

[2] Ruben Pereira and Miguel Mira da Silva. Designing a new integrated IT Governance and IT Management framework based on both scientific and practitioner viewpoint. International Journal of Enterprise Information Systems, 8.4, p1. Oct-Dec 2012.

[3] M Goeken and S Alter. Towards conceptual metamodeling of IT governance frameworks approach—Use—Benefits. In Proceedings of the Annual Hawaii International Conference on System Science, Big Island, p1—10, 2009.

[4] A R Memiyanty and M S Putera. Ethical leadership and employee trust: Governance perspective. In Proceedings of the International Conference on Information and Financial Engineering. Chongqing, China. P848—851, 2010.

[5] T Dahlberg and P Lahdelma. IT governance maturity and IT outsourcing degree: An exploration study. In Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Wikoloa, HI. P 236a, 2007.

[6] GJ Selig. Implementing IT governance: A practical guide to global best practices in IT management. Amersfoort, The Netherlands, 2008.

[7] Virginia NL Franqueira, Andre van Cleeff, Pascal van Eck and Roel J Wieringa. Enginnering security agreements against external insider threat. Information Resources Management Journal. P66, 26.4 (Oct-Dec 2013).

Comments