Information Resource Management

The underlying philosophy behind Information Resource Management (IRM) is to design, inventory and control all of the resources required to produce information. When standardized and controlled, these resources can be shared and re-used throughout the corporation, not just by a single user or application.
There are three classes of information resources:

 

• BUSINESS RESOURCES - Enterprises, Business Functions, Positions (Jobs), Human/Machine Resources, Skills, Business Objectives, Projects, and Information Requirements.

• SYSTEM RESOURCES - Systems, Sub-Systems (business processes), Administrative Procedures (manual procedures and office automation related), Computer Procedures, Programs, Operational Steps, Modules, and Subroutines.

• DATA RESOURCES - Data Elements, Storage Records, Files (computer and manual), Views, Objects, Inputs, Outputs, Panels, Maps, Call Parameters, and Data Bases.

These three classes of information resources provide the rationale as to why there are three complementary methodologies within "PRIDE".

• ENTERPRISE ENGINEERING METHODOLOGY (EEM) - for defining the mission and goals of the business and the development of an Enterprise Information Strategy synchronized with the business.

• INFORMATION SYSTEMS ENGINEERING METHODOLOGY (ISEM) - for designing and building enterprise-wide information systems (business processes crossing organizational boundaries). Software Engineering is considered a subset of ISEM.

• DATA BASE ENGINEERING METHODOLOGY (DBEM) - to design and develop the corporate data base, both logically and physically.

Each methodology consists of a series of defined phases, activities and operations. Laced throughout the methodologies are defined deliverables and review points to substantiate completeness and to provide an effective dialog between management and developers. The methodologies promote design correctness and the production of a quality product.
IRM/MRP ANALOGY
The concept of Information Resource Management is actually no different in intent than "Materials Resource Planning" (MRP) as used in manufacturing. Both are concerned with the efficient and cost effective use of resources. The classification and control of resources are the main objectives. Resources are classified to prove their uniqueness so that redundancy is not introduced and to promote sharing. Control is required to collect, inventory and retrieve resources as required by the business.
Whereas MRP is concerned with managing products and the parts required to produce them, IRM is concerned with managing information and the resources required to produce it.
One of the important by-products of cataloging and cross-referencing information resources is a model of the enterprise, including how it is organized and how it operates. Other benefits include:

• All information resources are controllable, permitting the ability to design integrated systems and perform an "impact analysis" of a proposed resource change.

• Simplified search of information resources for reuse. Redundancy of resource definition is eliminated.

• Complete and current documentation of all information resources, in an organized and meaningful way.

• Communications within the organization is improved since developers and users would use standard and common definitions for information resources, all of which would be in standard business terminology.

Techniques of Information resource management

Techniques of Information Resource Management are derived from the fields that have been associated with the Information Systems.
These can be listed as follows:

1. Database design and development that is derived from Computer sciences.
2. Classification of data and information retrieval that is derived from librarian and Information sciences.
3. Document life cycle that is derived from Records management.
4. Information Systems and Technology Audits that is derived from other Audit Systems like finance, communication, energy etc. and Organizational psychology.
5. Cost-benefit analysis and valuation of Information resource that is derived from Finance and Business management.

Read more »

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security.

The CIA triad (confidentiality, integrity and availability) is one of the core principles of information security.  The elements are confidentiality, integrity, authenticity, availability, and non-repudiation.

Confidentiality

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.

Integrity

In information security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.

Availability

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

Authenticity

In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.

Non-repudiation

In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.

Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation. 

 

Risk management

"Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.

There are two things; first, the process of risk management is an ongoing, iterative process. It must be repeated indefinitely.

 The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (manmade or act of nature) that has the potential to cause harm.

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called "residual risk".

Controls

When management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls.

Administrative

Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control because they inform the business. Some industry sectors have policies, procedures, standards and guidelines that must be followed – the Payment Card Industry (PCI) Data Security Standard required by Visa and MasterCard is such an example. Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.
Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Administrative controls are of paramount importance.

Logical

Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task.

Physical

Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and workplace into functional areas are also physical controls.
An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task by himself. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator – these roles and responsibilities must be separated from one another.

Read more »