This paper provides a structured overview of three chapters from a Management Information Systems course focused on information security. Chapter 10 addresses project planning fundamentals, including work breakdown structures, milestones, resource management, system conversion strategies, and technology governance. Chapter 11 examines the organizational placement of the information security function, personnel hiring criteria, IS career paths, professional certifications, and security-related HR policies. Chapter 12 explores IS maintenance and risk management, covering the five-domain maintenance model, vulnerability assessment processes, penetration testing, configuration management, and digital forensics. Together, the chapters offer a cohesive framework for managing information security within an organizational context.
A project plan is essentially a formal document that guides the execution and control of a project. It is meant to achieve the planning objectives and facilitate planning decisions. It also facilitates interaction and communication between project stakeholders while detailing the costs, scope, and milestones of the project.
Before developing a project plan, it is important to have a statement of the project vision and objectives. The vision statement gives a clear picture of the direction the project intends to take in order to be successful. Objectives, on the other hand, are the targets the project will achieve to reach the desired outcome. These two elements are necessary because they guide the planning and execution of the project.
There are four categories of constraints that relate to project plan implementation. These are technological, industrial, distribution, and operational risks. Technological risks relate to failures when using different technologies; industrial risks relate to key providers being unwilling to use and share technology; distribution risks relate to distributors not delivering project requirements; and operational risks relate to a lack of commitment from project management and personnel.
The first step in executing the project plan is planning the project, which involves creating a detailed project plan. The second step is supervising the different tasks and actions to lead project implementation, while the last step is the wrap-up of the project, where managers finalize status reports and deliver a final project report.
Projectitis occurs when the project manager develops a significant attachment to the project team and spends more time on documentation and performance measurement than on actual project actions. It can be avoided through a focus on project actions, organization, and coordination.
A work breakdown structure (WBS) is a planning tool that allows the project manager to divide the project plan into several tasks placed on a task list. Each of these tasks is then further divided into simpler tasks or actions. A WBS is considered the best way to organize a project plan.
A planner can tell when a task is subdivided adequately when a single individual can complete it, or when it requires only one skill set and includes a single deliverable. A deliverable is a completed action or document that can either serve as the starting point of a different action within the project or stand as an element of a completed project.
A resource is a source or supply from which the project accrues benefit. Resources are divided into tangible and intangible categories. Tangible resources include land, capital, and labor, while intangible resources include information management systems, brands, patents, and similar assets.
It is good practice to delay naming certain individuals as resources during project planning. Rather than assigning specific individuals, the project plan should focus on the organizational roles and skill sets required to accomplish particular tasks and actions. Those tasks are then assigned to specific individuals separately.
A milestone is a particular point in the project plan at which a task and its related steps are complete and have an impact on the overall progress of the project. A good example is when a request for proposal (RFP) document is sent to vendors, because it signifies that all preparations on the part of the project sponsor have been finalized.
The project manager should assign project start and end dates sparingly in order to reduce the risk and impact of projectitis, and to allow the manager to specify completion dates only for major milestones.
The best judge of effort estimates for project tasks and actions is the individual most familiar with similar work. All individuals assigned specific action steps should review completion estimates, understand the required actions and steps, and agree with those estimates.
A dependency is defined as a relationship between tasks or steps in which one depends on the completion of the other before it can begin. A predecessor is the task that precedes another, while a successor is the task that follows.
A negative feedback loop is a process often used to manage a project to completion. The project's assessed results are compared to the expected results, and when a deviation is found, corrective action is taken to bring the task into compliance with the project plan.
When converting to a new system, four approaches are commonly used. The first is direct changeover, which involves stopping the old system and starting the new one immediately. This is relatively straightforward for simple changes but becomes more challenging when change procedures are complex. The second is phased implementation, where the rollout is carried out in stages until all systems have been converted. The third is pilot implementation, where a single department or division adopts the new system first and serves as a test case before the change is extended to other areas. The fourth is parallel operation, where both the old and new systems run concurrently, allowing a fallback to the old system if needed.
Technology governance is a complex process through which organizations manage the cost of technology and innovation by facilitating communication about technical issues. Change control is the process by which the organization manages the impact of a technical change.
Accreditation is the authority granted to an IT system to process, transmit, and store information, and it is issued as assurance that the system meets adequate quality standards. Certification is a comprehensive evaluation of the technical and non-technical controls within an IT system.
No single person or department determines where information security should reside within an organization. It is the responsibility of the entire organization to find a rational placement for the information security function β one that can balance the needs of education, training, policy, and awareness.
The information security function can be placed within the IT function, given its relationship to IT operations. It can also be positioned as a peer of physical security, since both serve as protective functions. Alternatively, it may be placed under administration as a peer to human resources, or under the legal department for enforcement of the organization's security policies.
The criteria for selecting information security (IS) personnel include hiring a manager who can work effectively with diverse people, who can perceive threats to the organization, and who understands the technical controls needed to mitigate those risks.
Factors that influence an organization's IS hiring decisions include attitude, understanding of the role, sensitivity awareness regarding role-related information, working knowledge of IT technologies, and understanding of the education and training requirements of the position.
When dismissing an employee β whether under friendly or hostile circumstances β the organization must consider information security. The employee may store information on personal drives or storage media. Accordingly, the employee's system access should be disabled and keycard access revoked, and the employee should remove personal effects from the premises.
"IS career paths, job roles, and credentials"
"Five-domain maintenance model and risk monitoring"
"Assessment types, penetration testing, and forensics"
You’re 50% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.