Hello please find the attached documents for stage 3. I also attached stages 1 & 2 you have completed for your reference. Please make sure resources are incorporated and used effectively. References should appropriately be incorporated and cited using APA style 7th edition
Thank you and please let me know if you have any questions.
information systems security
Stage 1: Strategic Use of Technology
Maryland Technology Consultants (MTC)
IFSM 300 Information Systems in Organizations
01/25/2023
Introduction
Maryland Technology Consultants is an accessing firm that specializes in providing Information Technology (IT) solutions to clients. The firm uses proven methodologies to deliver measurable results and enhance business performance. The provision of IT consulting and outsourcing services will be the main topics of the Business Analysis and System Recommendations (BA&SR) report on MTC’s commercial zone. Therefore, the report aims to create a strategic plan for implementing an onboarding program or recruiting system to enhance MTC’s recruitment procedure. The report will employ a four-stage strategy to accomplish this goal. Each of them examines a different portion of the study. The report will emphasize providing exceptional consulting guidance and advice to its customers by hiring highly qualified experts and keeping up to date with cutting-edge business technologies and innovations.
I.
Strategic Use of Technology
A.
Business strategy
IT can revolutionize the manufacturing industry and transform business operations. Utilizing technology plays a critical role in trade and economic growth and can aid MTC in boosting its business progress through new contracts and partnerships (UMGC, 2023). The usage of IT also broadens MTC’s reach because it is no longer constrained by geographical region. By utilizing IT, MTC can assemble a group of international consultants that can help American onsite teams via remote study and evaluation. This can be one of the company’s strategies. Additionally, IT enables more efficient identification of potential business partners in other countries or continents.
B.
Competitive advantage
The Manufacturing Technology Corporation (MTC) operates in a highly competitive market, facing competition from both large-scale IT consulting organizations and smaller companies with specialized skill sets, as well as small to mid-sized businesses. MTC is concentrating on its hiring method to draw top IT experts with in-depth knowledge of cutting-edge technology and an inventive strategy for problem-solving for customers in order to acquire a competitive advantage (Amadeo & Rasure, 2022). The organization is aware that many applicants utilize online forms and anticipate a simple and quick application procedure in the current digital era. MTC has implemented an integrated hiring and retention strategy to fulfill this expectation, including a new IT solution. The candidate monitoring and hiring procedure is improved overall by this technology, which monitors the process more effectively than the manual method. The system also has a tool for managing business activities, simplifying management (David & David, 2016). The recruiting and recruitment procedures are streamlined by a piece of software called the applicant tracking system. Online processing allows the monitoring system to manage business operations and gather data, giving MTC a competitive edge over its main competitors.
C.
Strategic Objectives
MTC intends to compete with more prominent companies for new IT Consulting projects by offering highly qualified IT consultants. MTC will be likely to do this in order to boost its effectiveness.
Strategic Goal
Objective
Explanation
Increase MTC business development by winning new contracts in the areas of IT
consulting.
Look into prospective business opportunities. Think about taking on one contract as the prime contractor and collaborating with at least two big firms as a subcontractor.
This statement suggests that the person or company should research different business opportunities and consider taking on a contract as the primary contractor while working with two other larger companies as subcontractors. This could involve partnering with larger companies to bid on and complete a project, with the primary contractor taking on the lead role and the subcontractors providing additional resources and expertise. This strategy could potentially help the primary contractor gain experience and credibility in the industry while also leveraging the resources and reputation of the larger firms.
Build a cadre of consultants internationally to provide remote research and analysis
support to MTC’s onsite teams in the U. S.
Over the next twelve months, increase overseas hiring and bring on six research analysts.
Online applications will be accepted from candidates worldwide, resulting in a spike in the number of international applicants. As a result, hiring managers would have the chance to track candidates’ progress for these roles, identify key research competencies, and evaluate resumes in light of those competencies. By looking at the applicant pool, recruitment agencies can quickly assess how many candidates are required to fulfill a goal.
Continue to increase MTC’s ability to provide high-quality consultants to quickly
awarded contracts to best serve the client’s needs.
Enlarge the hiring market. Over the next five months, five exceptionally talented talent acquisition specialists with at minimum five years of fast-paced experience in the industry should be employed.
To implement the new hiring strategy successfully, hiring qualified recruitment agencies used to demanding work settings is vital. They ought to know about hiring personnel after winning contracts.
Increase MTC’s competitive advantage in the IT consulting marketplace by increasing its
reputation for having IT consultants who are highly skilled in leading edge technologies and
innovative solutions for its clients.
Create a culture within your firm that will draw in and keep talent. Reward staff members every quarter and acknowledge their contributions. Make use of MTC’s advantages to expand your clientele and gain more market share.
Rewarding top achievers will result in happier, more productive workers and lower turnover rates. Customers will value and appreciate MTC’s qualities, resulting in new contracts and collaborations.
D.
Decision Making
Data tracking capabilities are among the most crucial features of information systems. The fact that an info system turns data into specific information is vital to comprehend. The ability to make decisions can be strengthened by using upgraded information just after data has been converted into knowledge.
Role
Level as defined in Course Content Reading
Example of Possible Decision Supported by Hiring System
Example of Information, the Hiring System, could provide to Support your Example Decision
Senior/Executive Managers (Decisions made by the CEO and the CFO at MTC supported by the hiring system)
Strategic level
Promote emerging markets that you are considering joining.
You should specify how many experts you will need because you will be working with a new arrangement.
Middle Managers (Decisions made by the Director of HR and the Manager of Recruiting supported by the hiring system)
Managerial level
There are various phases involved in allocating budgets and resources.
According to the contract terms, candidates might be chosen by hiring managers and the director of the headquarters office.
Operational Managers (Decisions made by the line managers in the organization who are hiring for their projects supported by the hiring system)
Operational level
Work at a different location with workers moving from one area to another.
All qualifications and certificates necessary for the new post will be confirmed through the system’s verification procedure.
References
Amadeo, K, and Rasure, E. (2022, January). US and World Economies, What is Competitive Advantage?
https://www.thebalance.com/what-is-competitive-advantage-3-strategies-that-work-3305828
UMGC (2023). Business Strategy. Retrieved from
https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/business-strategy.html?wcmmode=disabled
David, F., & David, F. R. (2016). Strategic management: A competitive advantage approach, concepts, and cases. Pearson–Prentice Hall. Retrieved from
https://gibsoncollege.edu.et/wp-content/uploads/2022/01/Strategic-Management-Concepts-and-Cases-15th-Ed.-by-Fred-R.-David-and-Forest-R.-David
Stage 3: Requirements-3 pages
Before you begin work on this assignment, be sure you have read the Case Study and reviewed the feedback received on your Stage 1 and 2 assignments.
Overview
As the business analyst in the CIO’s department of Maryland Technology Consulting (MTC), your next task in developing your Business Analysis and System Recommendation (BA&SR) Report is to develop a set of requirements for the hiring system.
Assignment – BA&SR Section III. Requirements
The first step is to review any feedback from previous stages to help improve the effectiveness of your overall report and then add the new section to your report. Only content for Stage 3 will be graded for this submission. Part of the grading criteria for Stage 4 includes evaluating if the document is a very effective and cohesive assemblage of the four sections, is well formatted and flows smoothly from one section to the next. For this assignment, you will
add Section III of the Business Analysis and System Recommendation (BA&SR) Report to your Sections I and II. In this section you will identify requirements for the new hiring system. This analysis leads into Section IV. System Recommendation of the BA&SR (Stage 4 assignment) that will analyze a proposed IT solution to ensure it meets MTC’s organizational strategy and fulfills its operational needs.
Using the case study, assignment instructions, Content readings, and external research, develop your Section III. Requirements. The case study tells you that the executives and employees at Maryland Technology Consultants (MTC) have identified a need for an effective and efficient applicant tracking or hiring system.
As you review the case study, use the assignment instructions to take notes to assist in your analysis. In particular, look for information in the interviews to provide stakeholder interests and needs.
Use the outline format, headings and tables provided and follow all formatting instructions below.
III.
Requirements
A.
Stakeholder Interests – Review the interest or objectives for the new hiring system for each stakeholder listed below based on his or her organizational role and case study information. Consider how the technology will improve how his/her job is done; that is, identify what each of the stakeholders needs the hiring system to do. Then to complete the table below, use information from the stakeholder interviews and identify one significant challenge or problem for each stakeholder related to the current hiring process
(not their future expectations). Then explain how a system could address their problems. Do
not define what that position does in the organization. (Provide an introductory sentence for this section, copy the table below and complete the two columns with
1-2 complete sentences for each role in each column.)
Role |
|
Specific problem related to the current hiring process |
How a technology solution to support the hiring process could address the problem |
||||||||||||||||||||||||||||||||||||
1. CEO |
|||||||||||||||||||||||||||||||||||||||
2. CFO |
|||||||||||||||||||||||||||||||||||||||
3. CIO |
|||||||||||||||||||||||||||||||||||||||
4. Director of Human Resources |
|||||||||||||||||||||||||||||||||||||||
5. Manager of Recruiting |
|||||||||||||||||||||||||||||||||||||||
6. Recruiters |
|||||||||||||||||||||||||||||||||||||||
7. Administrative Assistant |
|||||||||||||||||||||||||||||||||||||||
8. Hiring Manager |
B. Defining Requirements – The next step is to identify the
essential requirements for the information system. In addition to the stakeholder interests identified above, review the Case Study, especially the interviews, highlighting any statements that tell what the person expects or needs the system to do.
User requirements express specifically
what the user needs the system to do
. This can be in terms of
tasks the users need to perform, data they need to input, what the system might do with that data input, and output required.
System performance requirements express
how the system will perform in several performance areas and security
. As a member of the CIO’s organization, you will use your professional knowledge to Identify 5 User Requirements (including one specifically related to reporting) and 5 System Performance Requirements (including 2 security-related requirements).
Refer to Week 5 content on requirements;
security requirements are covered in Week 6. Additional research can expand your knowledge of these areas.
Once you have identified the 10 requirements, evaluate each one using the criteria below and create 10 well-written requirements statements for the new hiring system.
The requirement statement:
· Is a complete sentence, with a subject (system) and predicate (intended result, action or condition).
· Identifies only one requirement; does not include the words “and,” “also,” “with,” and “or.”
· For User Requirements, states
what
tasks the system will support or perform.
· For System Performance Requirements, states
how
the system will perform.
· Includes a measure or metric that can be used to determine whether the requirement is met (time or quantity), where appropriate.
· Is stated in positive terms and uses “must” (not “shall,” “may” or “should”); “the system must xxxx”
not “the system must not xxx”.
· Avoids the use of terms that cannot be defined and measured, such as “approximately,” “robust,” “user friendly,” etc.
· Is achievable and realistic; avoids terms such as “100% uptime,” or “no failures”.
For a full requirements document, there will be many requirement statements; you only need to provide the number of requirements identified for each category. Do not provide generic statements but relate to the needs of MTC to improve its hiring process.
(Provide an introductory sentence, copy the table, and complete the Requirements Statement and Stakeholder columns. No additional information should be entered into the first column, Requirement ID.)
Requirement ID# only |
Requirement Statement |
Stakeholder (Position and Name from Case Study that identified this requirement) |
|
User Requirements – |
|||
EXAMPLE |
The system must store all information from the candidate’s application/resume in a central applicant database. |
Recruiter – Peter O’Neil |
|
1. | |||
2. | |||
3. | |||
4. | |||
5. |
(Reporting- |
||
System Performance Requirements – |
|||
The system must be implemented as a Software as a Service solution. |
CIO – Raj Patel |
||
6. | |||
7. | |||
8. | |||
9. |
(Security- |
||
10. |
Formatting Your Assignment
Consider your audience – you are writing in the role of an MTC business analyst and your audience is MTC and your boss, the CIO. Don’t discuss MTC as if the reader has no knowledge of the organization. Use third person consistently throughout the report. In third person, the writer avoids the pronouns I, we, my, and ours. The third person is used to make the writing more objective by taking the individual, the “self,” out of the writing. This method is very helpful for effective business writing, a form in which facts, not opinion, drive the tone of the text. Writing in the third person allows the writer to come across as unbiased and thus more informed.
· In Stage 3, you are preparing the third part of a 4-stage report. Use the structure, headings, and outline format provided here for your report. Use the numbering/lettering in the assignment instructions as shown below.
III. Requirements
A. Stakeholder Interests
B. Defining Requirements
· Begin with Sections I and II, considering any feedback received, and add to it Section III.
· Write a short concise paper: Use the recommendations provided in each area for
length of response. It’s important to value
quality over quantity. Section III should not exceed 3 pages.
· Content areas should be
double spaced; table entries should be
single-spaced.
· To
copy a table
: Move your cursor to the table, then click on the small box that appears at the upper left corner of the table to highlight the table; right click and COPY the table; put the cursor in your paper where you want the table and right click and PASTE the table.
· Ensure that each of the
tables is preceded by an
introductory sentence that explains what is contained in the table, so the reader understands
why the table has been included.
· Continue to use the
title page created in Stage 1 that includes: The title of report, company name, your name, Course and Section Number, and date of
this submission.
·
Use
at least two
resources with
APA formatted citation and reference for this Stage 3 assignment. Use at least one external reference and one from the course content. Course content should be from the class reading content, not the assignment instructions or case study itself. For information on APA format, refer to Content>Course Resources>Writing Resources.
· Add the references required for this assignment to the
Reference Page. Additional research in the next stage will be added to this as you build the report. The final document should contain all references from all stages appropriately formatted and alphabetized.
· Running headers are not required for this report.
· Compare your work to the
Grading Rubric below to be sure you have met content and quality criteria.
· Submit your paper as a
Word document, or a document that can be read in Word. Keep tables in Word format – do not paste in graphics.
· Your submission should include
your last name first in the filename:
Lastname_firstname_Stage_3
GRADING RUBRIC:
Criteria
Far Above Standards
Above Standards
Meets Standards
Below Standards
Well Below Standards
Possible Points
Stakeholder Interests
Identification of specific stakeholder problems (interests and objectives for improving the hiring process) and how a technology system could address.
Generally, 0-3 points per role. Both quantity and quality evaluated.
38.4 Points
35.2-38.4 Points
Problems and how a technology solution will address are correctly and clearly described and fully explained using a sophisticated level of writing.
32.64 points
32-33.6 Points
Problems and how a technology solution will address are clearly described and explained using an effective level of writing.
28.8 points
27.2-30.4 Points
Problems and how a technology solution will address are described and explained.
23.808 points
22.4-25.6 Points
Problems and how a technology solution will address are not clearly described and explained; and/or lacks effective presentation of information
0 points
0-20.8 Points
Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section.
38.4
User
Requirements
5 user requirements (1 addresses reporting)
Generally, 0-5 points each. Both quantity and quality evaluated.
40 points
36.8-40 Points
Correctly identified, written and sourced; clearly derived from the Case Study; demonstrates sophisticated analysis.
33.6 points
32-35.2 Points
Identified, written and sourced correctly; requirements are derived from the Case Study; demonstrates effective analysis.
28.8 points
27.2-31.7 Points
Identified and sourced; requirements are related to the Case Study.
25.6 points
24-25.6 Points
Fewer than 5 requirements are identified and sourced; and/or information provided is not correct; and/or requirements are not all related to the Case Study.
0 points
0-22.4 Points
Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section.
40
Performance Requirements
3 performance requirements and 2 system security requirements
Generally, 0-5 points each
. Both quantity and quality evaluated.
40 points
36.8-40 Points
Correctly identified, written and sourced; clearly derived from the Case Study; demonstrates sophisticated analysis.
33.6 points
32-35.2 Points
Identified, written and sourced correctly; requirements are derived from the Case Study; demonstrates effective analysis.
28.8 points
27.2-31.7 Points
Identified and sourced; requirements are related to the Case Study.
25.6 points
24-25.6 Points
Fewer than 5 requirements are identified and sourced; and/or information provided is not correct; and/or requirements are not all related to the Case Study.
0 points
0-22.4 Points
Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section
.
40
Research
Two or more sources–one source from within the IFSM 300 course content and one external (other than the course materials)
16 points
14.4-16 Points
Required resources are incorporated and used effectively. Sources used are relevant and timely and contribute strongly to the analysis. References are appropriately incorporated and cited using APA style.
13.6 points
13.6 Points
At least two sources are incorporated and are relevant and somewhat support the analysis. References are appropriately incorporated and cited using APA style.
12 points
12 Points
Only one resource is used and properly incorporated and/or reference(s) lack correct APA style.
10.4 points
10.4 Points
A source may be used, but is not properly incorporated or used, and/or is not effective or appropriate; and/or does not follow APA style for references and citations.
0 points
0-8 Points
No course content or external research incorporated; or reference listed is not cited within the text.
16
Format
Uses outline format provided; includes Title Page and Reference Page
25.6 points
22.4-25.6 Points
Very well organized and easy to read. Very few or no errors in sentence structure, grammar, and spelling; double-spaced, written in third person and presented in a professional format.
20.736 points
19.2-10.8 Points
Effective organization; has few errors in sentence structure, grammar, and spelling; double-spaced, written in third person and presented in a professional format.
17.664 points
17.6 Points
Some organization; may have some errors in sentence structure, grammar and spelling. Report is double spaced and written in third person.
15.872 points
16 Points
Not well organized, and/or contains several grammar and/or spelling errors; and/or is not double-spaced and written in third person.
0 points
0-14.4 Points
Extremely poorly written, has many grammar and/or spelling errors, or does not convey the information.
25.6
TOTAL Points Possible
160
Stage II: Process Analysis
Maryland Technology Consultants (MTC)
IFSM 300 Information Systems in Organizations
02/07/2023
II. Process Analysis
A.
Hiring Process
Maryland Technology Consultants (MTC) wants to develop and become a leading provider of IT consulting services with an objective to electronically replace the manual hiring procedure now in place. The table below will describe the present procedure, make some suggestions, and explain to MTC the necessity for a new approach.
MTC Hiring Process |
||||||||
As-Is Process |
Responsible MTC Position |
To-Be Process – How the system Will Support and Improve the hiring process |
Business Benefits of Improved Process (Align with MTC’s overall business strategy and needs.) |
|||||
1. Recruiter receives application from job hunter via Postal Service Mail. |
Recruiter |
The system will receive the application via online submission through MTC Employment Website and store it in the applicant database within the hiring system. |
A more efficient submission process decreases the time needed to receive and begin processing applications. This will present a positive image to potential employees and help MTC compete for top IT talent (UMGC, 2019). |
|||||
2. Recruiter screens resumes to identify top candidates by matching with job requirements from job description. |
The system will be employed to sort applications and choose the best applicants who satisfy the criteria. |
The procedure will be enhanced by quicker testing and processing time that only displays suitable individuals, saving time and enabling MTC to rob a bigger circle of applicants quickly. |
||||||
3. Recruiter forwards top candidates to Administrative Assistant via interoffice mail |
The system shall produce an account with the best prospects that may be electronically forwarded to the AA. |
The information about the candidates will be provided immediately to the AA because of a paperless update procedure. |
||||||
4. Administrative Assistant forwards candidates’ resumes and applications to hiring manager for the position via interoffice mail. |
Administrative Assistant |
The technology will inevitably create a package with the candidate’s information and send it to the hiring manager after pulling it from a database. |
The prospective employer can obtain and examine the data electronically to conduct additional candidate screening, saving time and productivity (Business Enterprise Mapping, 2021). |
|||||
5. Hiring Manager reviews applications and selects who he/she wants to interview. |
Hiring Manager |
The information system will enable resume searches to find particular qualifications and talents the recruiting manager is looking for in a candidate. |
A system with searchable material will streamline the hiring process by focusing on competent individuals. By cutting down on the time needed to read and examine paper resumes, will help MTC reach its employment objective more quickly. |
|||||
6. Hiring Manager sends email to Administrative Assistant on who he/she has selected to interview and identifies members of the interview team. |
The solution will let the hiring manager immediately notify the AA of the chosen applicants and interview panel. |
The system’s deployment will shorten the time needed for the hiring manager to provide info to the AA. The recruiting process will move faster because of this benefit for MTC. |
||||||
7. AA schedules interviews by contacting interview team members and hiring manager to identify possible time slots |
The technology allows the AA to choose the days and times they are eligible for interviews by synchronizing the recruiting manager’s and the assessment team’s appointments. |
Conflicts over scheduling and repeated phone conversations can be avoided with a system that syncs calendars, picks time slots, and generates emails for the AA (Business Enterprise Mapping, 2021). |
||||||
8. AA emails candidates to schedule interviews. |
The solution permits the AA to deliver an automatically compiled email containing all of the available time slots and a read receipt certification. |
The system can monitor who has or hasn’t replied to the interview emails and can notify or remind the AA to verify the interview times. This allows for smooth tracking. |
||||||
9. Interview is conducted with candidate, hiring manager and other members of the interview team. |
Hiring Manager and Interview Team |
The interview is conducted with the candidate, hiring manager, and other interview team members. |
n/a |
|||||
10. AA collects feedback from interviews and status of candidates |
After the interviews are over, the interviewers can input their feedback into the system. The AA can be alerted to view the response in the system and modify the status of the applicants. |
The system will effectively score the applicants and update their position by sending notifications when feedback is entered. This will simplify the work for the AA. |
||||||
11. Hiring manager informs the AA on his top candidate for hiring |
The hiring manager should utilize the system to choose the final options and then send a notification to the AA so that they can retrieve the data from the database. |
|||||||
12. Administrative Assistant prepares offer letter based on information from recruiter and puts in the mail to the chosen candidate. |
The system enables AA to prepare a job offer letter by storing the offer letter template and information on each candidate. |
A more efficient offer process presents a positive image to applicants, decreases the time needed to prepare an offer letter, and enables MTC to hire in advance of the competition (Analyzing Process Improvements Supported by IT) |
B.
Expected Improvements
MTC must urgently modernize its employment procedure as they are not helped by the manual approach, which takes additional effort and time. MTC intends to expand by 7% annually over the following five years. MTC will be able to accomplish its objective by utilizing technology to develop a smooth hiring procedure.
Area |
Current Issues (from the Case Study) |
Improvements (due to the use of technology) |
Collaboration: |
The Hiring Manager states that recruiting is only one area he is responsible for, and he isn’t as responsive to HR as he could be. Therefore, he counts on the Recruiters to help manage the process and keep him informed. The current manual system causes many communication breakdowns and takes additional effort and time to stay on top of the hiring process. |
An efficient system with all information in one place, easily accessible via a dashboard, and updated in real time could make his recruiting job easier; and he could devote time to effectively working collaboratively and proactively with HR on his staffing needs. |
Communications: Explain how a hiring system could improve internal and external communications |
MTC has a limited number of employees dedicated to recruiting, and those working on the employment procedure are overworked. There is insufficient appropriate communication between the recruiter, AA, and hiring manager. Resumes and applications may become misplaced in email or abandoned in interoffice mail. |
By storing the data electronically and allowing users to search for keywords and particular skill sets for the role, an efficient system could reduce employers’ time to assess and screen applicants. |
Workflow: Explain how a hiring system could improve the MTC hiring process by providing a consistent structure for each participant to perform his/her part in the hiring process. |
Each stage of the hiring process takes significantly longer when everything is done manually. Before a candidate can proceed through the procedure, an excessive amount of paperwork must be reviewed. |
The employment process can be streamlined with an information system. All team members could quickly and effectively carry out their responsibilities by uploading resumes to their system for the recruiter to and select the most competent applicants. |
Relationships: Explain how implementing an enterprise hiring system could foster stronger relationships with applicants/potential employees. |
The recruiting manager claims that employing manual procedures makes MTC appear unprofessional as an IT company. In order to rapidly update worried job seekers on the progress of their applications, MTC must answer their inquiries. |
The applicants will receive real-time updates regarding their status through a system that uses technology. With this system, MTC will be seen as a cutting-edge, contemporary technology firm. |
References
Analyzing Process Improvements Supported by IT.
https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/analyzing-processimprovementssupportedbyit.html?wcmmode=disabled
Business Enterprise Mapping. (2021, June 10). Six process improvement strategies that work – BEM.
https://www.businessmapping.com/blog/process-improvement-strategies/
UMGC. (2019). Maryland Technology Consultants, Inc. case study. IFSM 300 Case Study
Requirements
What Are Requirements?
For purposes of this class, we will focus on what the end user needs or
expects the system to do. These needs and expectations are documented
as requirements for the system. They fall into two general categories:
user requirements (sometimes referred to as functional requirements) and
system performance requirements (sometimes referred to non‐functional
requirements).
1. User Requirements describe the tasks the user needs the system to
perform, such as:
• What data the system is expected to collect.
• What the system is expected to do with the data that is input.
• What the system is expected to provide as output (reports, results,
etc.).
Some example user requirements for an online shopping site might be:
• The system must calculate the total of all items in the online or
website shopping cart.
• The system must display to the user similar items that the online
shopper may be interested in.
Learning Resource
Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
1 of 5 2/7/2023, 5:35 PM
https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/requirements.html?wcmmode=disabled
• The system must require the user to provide a shipping address.
• The system must automatically fill in the State portion of the
shipping address based on the zip code entered by the user.
• The system must provide the user with a report of all purchases
made via the website.
2. System Performance Requirements are sometimes referred to
as system quality attributes, since they define how the system is
designed, how it will perform when used, and what the user experience
will be (Microsoft, 2009).
They describe how the system will perform, or its quality, in areas such as:
• Usability—The ability for new users to quickly adapt to the software,
including how easy the system is to use and how help is provided for
the users
• Scalability—The ability of the system to accommodate additional
users and/or additional records/transactions
• Availability—The amount or periods of time the system is to be
operational and useable
• Reliability—The ability of the system to create and maintain the data
correctly
• Maintainability—The ability of the system to be easily maintained,
corrected and updated
• Performance—The ability of the system to meet time or volume
requirements (respond to user inquiry, update a database, or handle
the workload)
• Portability—The ability of the system to run/operate on a variety of
end‐user devices or with multiple operating systems
• Interoperability—The ability of the system to interact with other
existing or legacy systems
Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
2 of 5 2/7/2023, 5:35 PM
System performance requirements also describe security requirements for
the system and data, such as:
• Protection of the system from malicious or accidental actions
• Protection of data as it is transmitted and when it is stored
• User authentication; prevention of unauthorized access
• Authorization of users to perform specific functions; prevention of
unauthorized changes to data
• Data backup and recovery
Some examples of system performance requirements are:
• The system must encrypt the user’s payment information when it is
transmitted.
• The system must require a retinal scan for login purposes.
• The system must be capable of handling 5,000,000 transactions per
hour.
• The system must operate using Motorola handheld scanners.
• The system must be able to accept financial data directly from the
company’s financial system.
To differentiate between user and system performance requirements, the
business analyst determines whether each requirement describes a task
that the system must perform (user requirement) or describes system
quality or security (system performance requirement).
How Are the Requirements Used?
Requirements can be used to develop a system from scratch, in which
case many detailed requirements for every step of every process need to
be clearly laid out. For example, if an accounting system is to be
Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
3 of 5 2/7/2023, 5:35 PM
developed, the developers will need to incorporate all the financial and
legal aspects of the process. They will need to know exactly how each
accounting function is to be performed in order to program the system to
carry out the function.
However, if the intent is to acquire a commercial off‐the‐shelf (COTS)
accounting system or to use a software‐as‐a‐service (SaaS) system, then
the requirements may be stated at a much higher level, such as: “the
system must implement the Generally Accepted Accounting Principles
(GAAP)” or “the system must produce a monthly expense statement.” In
these cases, the end user is not so concerned about each step in
performing those functions, as long as the system provides them.
Once the requirements are listed, they can be used to:
• Develop a system and test it to be sure it meets the
requirements
• Identify one or more COTS or SaaS systems that appear to meet the
requirements
• Test the COTS or SaaS systems to determine which one meets the
most requirements and select one for use
• Identify requirements that are not met that may need be added to
the system or may require a separate or additional system(s) or
processes to be implemented
According to Mitre (2018) requirements “can be tested, verified, and/or
validated, and are unique, complete, unambiguous, consistent, and
obtainable, and [can be traced] to original business and mission needs.”
Documented requirements can be traced through an entire system
development and implementation process. For example:
• They form the need for a system and define its scope (all the
functions that are to be included).
• They form the basis for estimating the time and cost of developing or
Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
4 of 5 2/7/2023, 5:35 PM
acquiring the system.
• They are used to develop the system.
• They are used to negotiate any requirements changes that are
proposed by helping to determine how significant the change is.
• They are used to develop test cases to test the system to see if it
functions as needed.
• They are used when modifications or enhancements are proposed to
ensure that the new change does not unintentionally replace
previous functionality, and that the new requirement fits within the
scope of the system’s overall functionality.
• They are used to test a modified system to ensure all previous
functions, as well as the new functions, perform as needed.
References
Microsoft. (2009). Microsoft application architecture guide, 2009.
Retrieved from https://docs.microsoft.com/en‐us/previous‐versions/msp‐
n‐p/ee658094(v=pandp.10)
Mitre. (2018). Systems Engineering Guide—Analyzing and Defining
Requirements. Retrieved from https://www.mitre.org/publications
/systems‐engineering‐guide/se‐lifecycle‐building‐blocks/requirements‐
engineering/analyzing‐and‐defining‐requirements
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the
validity or integrity of information located at external sites.
Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
5 of 5 2/7/2023, 5:35 PM
Developing Requirements for an IT
System
Where Do the Requirements Come From?
Let’s assume that someone in the organization identifies one or more
problems with the way a process is working. Whether the current process
is supported by an IT system or not, the analyst might ask people with
different roles in the process two questions:
• What problems are you having in performing the task today?
• How do you see an IT system helping to improve things?
These questions should elicit a variety of responses from multiple
perspectives. The executives might answer with how the organizational
strategies and objectives could be better supported with an IT
system.
Managers may answer the questions with how an IT system would help
them manage the people and processes better. Front‐line employees will
likely focus on their tasks and which steps could be done more easily and
quickly if they had a system. The analyst will use information gathered
during the process analysis phase to help stakeholders identify and clarify
what the system needs to do for them.
If there is organizational agreement that a new system is probably
needed, then a determination should be made as to whether a system will
Learning Resource
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
1 of 9 2/7/2023, 5:35 PM
https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/developing-requirementsforanitsystem.html?
wcmmode=disabled
need to be developed or if a pre‐built commercial off‐the‐shelf (COTS)
solution might work. This would include answering the following types of
questions:
• For what major functions or tasks is the user seeking an IT solution?
• Is there any part of that task that is likely to be unique to this
organization?
• Would it be possible to find a COTS solution, since those are already
created, are ready to be used, and are often much less costly to
implement?
If the organization does not employ any significantly unique functions to
accomplish a standard business process, then it is likely that a COTS
solution exists that could meet the needs. The determination of whether
a system is to be built or bought drives the level of detail needed in the
requirements. Many more requirements with much more detail are
needed for building a system than for buying one.
Regardless of whether a system is to be built or bought, the next step is
to identify the high level user requirements (or “functional”
requirements). This is done by interviewing the expected users of the
system. Users very often know some of what they need the system to do,
but are unable to list all the functions they need. One way the analyst
elicits the requirements is by asking a variety of users at different levels
of the organization and with different responsibilities how the processes
are currently being done and what it is that the current system or process
does or does not do efficiently. The manager’s perspective and needs are
quite different from the front‐line employee trying to perform specific
tasks, and the executive’s perspectives and needs are unique to that level
of the organization. After a series of interviews, the analyst can
categorize and document the requirements that are emerging. Some of
these will likely be at a very high level (e.g., “I need annual financial
reports”) to very low‐level detailed items (e.g., “the zip code must include
all 9 digits”). For an accounting system, the high‐level requirements might
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
2 of 9 2/7/2023, 5:35 PM
include “the system must implement the Generally Accepted Accounting
Principles (GAAP)” or “the system must produce a monthly expense
statement,” along with many other functions identified by the users. One
of the biggest challenges for the analyst is to differentiate between a
“must have” (essential) requirement and a “nice to have” feature. When
requirements are collected and documented they are often put into these
two categories. The analyst asks the end user to determine whether each
requirement is a “must have” or a “nice to have” item, and documents
accordingly.
Some users may identify requirements that they believe the system must
perform, but that the analyst does not believe should be part of the
specification for the system in question. At this point in the process, all of
the requirements identified by any of the participants should be listed.
Eventually, the full list of requirements will be reviewed, modified as
necessary and approved by the system “owner” and major stakeholders.
During that part of the process, final determinations will be made about
which requirements are essential, which are “nice to have,” and which
should be eliminated. The list of essential requirements will be used to
identify whether there are COTS products available that should be
considered; “nice to have” requirements will be used to compare solutions
that meet the essential requirements. In a system development
environment, the essential requirements will be used to determine the
scope of the project. It is often easier and less costly to include “nice to
have” items in systems being developed in‐house, but the overall cost of
developing and maintaining IT systems must be considered in making that
decision. In the systems development life cycle (SDLC) analysis phase, the
project sponsor signs off on the requirements document. In later SDLC
phases, the requirements are used to design, develop, and test the
system.
A separate set of system performance (system quality and security)
requirements comes from the combination of end user needs as well as
technical specifications developed by the IT department. The answers,
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
3 of 9 2/7/2023, 5:35 PM
again, are elicited via interviews with expected system users and
managers. Below are example questions that the analyst might ask to
develop system performance requirements in each of the system quality
and security categories:
• Usability—Do you want the system user to have access to an online
help manual? Do you want the user to be able to access context‐
specific help while entering each data field on the screen?
• Scalability—How many users and how many records/transactions do
you need the system to be able to accommodate? How much might
those increase over time?
• Availability—Are there any time blocks where access to the system is
not needed (e.g., no one would use the system between midnight to
4 a.m. daily)?
• Reliability—Can you provide examples of tasks where the system
needs to create and maintain accurate/correct data?
• Maintainability—Are system security updates applied within 24
hours? (While end users are affected by the maintainability of the
system, it is usually up to the IT department to determine whether
the process used accommodates changes as needed and whether
updates are made in a timely manner.)
• Portability—What devices do you want the users of the system to be
able to use? Is it likely that they would use a smartphone, tablet,
etc., to either query or use the system?
• Interoperability—Are there any systems with which the new system
will need to directly exchange data?
• Security—This is another area where users are affected, but need
assistance from technical specialists to determine the requirements.
The analyst might ask: How sensitive is the data? Are there any
regulations concerning protecting the type of data in this system
(personally identifiable information, health care or other data
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
4 of 9 2/7/2023, 5:35 PM
protected by law, etc.)? Do you want users to be restricted as to
what they can do with the system or what data they can access?
Should this be based on their role in the organization? How often
does the data change? How long could you continue to operate if the
system were unavailable?
The User’s Role—Identifying Requirements
As discussed above, it is the responsibility of the system users to identify
the need for a solution to a problem or to identify processes that could be
improved and performed more effectively or efficiently. The user is
familiar with the business process to be accomplished and with how it is
currently performed, and can identify any issues that exist. Previous work
completed on process analysis is an important precursor to defining
requirements. It is not unusual for the business person to look around and
find potential IT solutions to their problems, and some want to jump
immediately into acquiring a specific solution. However, without a set of
requirements that has been approved by the organization, a solution that
fits one set of problems may not fit the needs of other users of the
system.
The Analyst’s Role—Documenting
Requirements
One of the business analyst’s biggest challenges is to get the users to
identify their requirements rather than focus on a specific solution. The
analyst conducts interviews and observes the process as it exists and
documents the process. Using the process analysis work done previously
and by asking the types of questions discussed above, the analyst gathers
the requirements for the new or updated IT system and begins to
document them.
How Are Requirements Statements Written?
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
5 of 9 2/7/2023, 5:35 PM
There are a number of “rules” for writing requirements statements. These
rules help to ensure that the requirements can be clearly understood and
that it is possible to determine whether or not the new system meets
each of the requirements. Poorly written requirements lead to
misunderstanding and misinterpretation and can lead to a system that
does not do what the users need it to do.
The analyst uses the list of requirements that the users identified and
rewrites each requirement to meet the criteria listed below.
Each requirement statement:
• Either describes a task that the user needs the system to
perform, or states a system performance expectation.
• Identifies only one requirement; avoids the words “and,” “also,”
“with,” and “or.”
• Is a complete sentence, with a subject (usually “the system”) and
predicate (intended result, action or condition).
• Uses “must” (not “may” or “should” or “will” or “shall”); written as
“The system must….”
• Is generally stated in positive terms (i.e., “the system must xxxx” vs.
“the system must not xxx”); however, there are times when “must
not” is the more appropriate way to express the
requirement.
• Is measurable; includes a measure or metric that can be used to
determine whether the requirement is met (e.g., time or quantity),
where appropriate; avoids the use of terms that cannot be defined
and measured, such as “approximately,” “robust,” “user friendly,” etc.
• Is achievable and realistic; avoids terms such as “100% uptime,” or
“no failures.”
• Is complete; it can stand alone and be understood.
• Must be testable; that is, there must be some way to test the system
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
6 of 9 2/7/2023, 5:35 PM
to determine whether the requirement is met.
Below are some examples of poorly written and well‐written
requirements, with explanations of what is wrong with the poorly written
requirements statements.
Poorly Written
Requirement What Is Wrong
Well‐Written
Requirement
Users must have access
to their personal data,
which will be
transmitted in a secure
manner.
Two requirements (in
this case, one user and
one system
performance) are
expressed; each
statement should
express only one
requirement.
1.
The system must
provide a user
with access to
their personal
data.
2. The system must
transmit personal
data in a secure
manner.
The system must
calculate the total of all
items in the online or
website shopping cart
and display the total to
the user.
Two requirements are
expressed; each
statement should
express only one
requirement.
1. The system must
calculate the total
of
all items in the
online or website
shopping cart.
2. The system must
display the total of
all items in the
online or website
shopping cart to
the user.
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
7 of 9 2/7/2023, 5:35 PM
Poorly Written
Requirement What Is Wrong
Well‐Written
Requirement
Report must be
provided within 5
seconds of the user
clicking on
“submit.”
Not a complete
sentence; and should be
stated as “The system
must…”
The system must
provide the report
within 5 seconds of the
user clicking on
“submit.”
The system should
require the user to
provide a shipping
address.
Avoid the use of
“should”; use “must.”
The system must require
the user to provide a
shipping address.
The system must be
easy to use.
“Easy to use” is not
measurable or testable.
The system must
provide on‐screen
prompts to guide the
user through the correct
steps to place an order.
The Requirements Document
Once the requirements statements are written correctly, they should be
grouped into categories. The first categorization is whether a
requirement is essential or nice to have. As stated above, this is done by
asking the individual who identified it as a requirement, rather than using
the analyst’s judgment. Then, the requirements are grouped by the
function or process involved so that the user community can understand
them. Using the accounting system example, the requirements might be
grouped under headings like: accounts receivable, accounts payable,
payroll processing, financial reports, etc. Arranging the requirements in a
sequence that follows the steps in a task is also helpful. For example, in
establishing a receivable account, there are specific steps taken; if the
requirements are listed in the order that is generally used, it allows the
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
8 of 9 2/7/2023, 5:35 PM
end user to ascertain whether the list of requirements is complete and
accurate. Each requirement statement will be assigned a unique identifier
so that it can be referred to with ease and clarity. A full requirements
document or “requirements specification” may contain many hundreds, or
even thousands, of requirements. Again, more detailed requirements are
needed for systems being built in‐house or under contract. In the case of
selecting a COTS product, only the higher level essential user
requirements and the system performance requirements need to be
developed. Otherwise, if too many specifics are identified, it may be
impossible to find a COTS solution.
If all this documentation of requirements seems like it is very time‐
consuming, it is! Identifying and documenting the requirements is the
basis upon which all further system decisions will be made, so it is a
valuable investment of time and human resources. The later in the
process that requirements changes are introduced, the more costly they
become to implement. In developing a system, it would require the
developers to go back and re‐do portions of the system and re‐test all the
possible outcomes; and, depending on the severity and impact of the
change, it may prove to be extremely costly. For COTS solutions, a
significant change to one or more essential requirements may impact
which systems should even be considered. The upfront investment in
defining the requirements helps prevent downstream costs and delays.
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the
validity or integrity of information located at external sites.
Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
9 of 9 2/7/2023, 5:35 PM
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 1
Maryland Technology Consultants, Inc.
Maryland Technology Consultants (MTC) is a successful Information Technology consulting firm
that utilizes proven IT and management methodologies to achieve measurable results for its
customers. Its customer base includes small to mid-tier businesses, non-profit organizations
and governmental agencies at the local, state and federal levels. MTC feels strongly that its
success is dependent on the combination of the talent of its IT consultants in the areas of,
Business Process Consulting, IT Consulting and IT Outsourcing Consulting and their ability to
deliver truly extraordinary results to their clients.
Corporate Profile
Corporate Name: Maryland Technology Consultants, Inc.
Founded: May 2008
Headquarters: Baltimore, Maryland
Satellite Locations: Herndon, Virginia; Bethesda, Maryland
Number of Employees: 450
Total Annual Gross Revenue: $95,000,000
President and
Chief Executive Officer (CEO): Samuel Johnson
Business Areas
MTC provides consulting services in the following areas:
• Business Process Consulting – Business process redesign, process improvement, and best
practices
• IT Consulting – IT strategy, analysis, planning, system development, implementation, and
network support
• IT Outsourcing Consulting – Requirements analysis; vendor evaluation, due diligence,
selection and performance management; Service Level Agreements
Business Strategy
MTC’s business strategy is to provide extraordinary consulting services and recommendations
to its customers by employing highly skilled consultants and staying abreast of new business
concepts and technology and/or developing new business concepts and best practices of its
own.
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 2
Excerpt from the MTC Strategic Business Plan
While the complete strategic plan touches on many areas, below is an excerpt from MTC’s
latest Strategic Business Plan that identifies a few of MTC’s Goals.
Goal 1: Increase MTC Business Development by winning new contracts in the areas of IT
consulting.
Goal 2: Build a cadre of consultants internationally to provide remote research and analysis
support to MTC’s onsite teams in the U. S.
Goal 3: Continue to increase MTC’s ability to quickly provide high quality consultants to
awarded contracts to best serve the clients’ needs.
Goal 4: Increase MTC’s competitive advantage in the IT consulting marketplace by increasing its
reputation for having IT consultants who are highly skilled in leading edge technologies and
innovative solutions for its clients.
Current Business Environment
MTC provides consultants on-site to work with its clients, delivering a wide variety of IT-related
services. MTC obtains most of its business through competitively bidding on Requests for
Proposals issued by business, government and non-profit organizations. A small but growing
portion of its business is through referrals and follow-on contracts from satisfied clients. MTC
anticipates it will win two large contracts in the near future and is preparing proposals for
several other large projects.
MTC, as a consulting company, relies on the quality and expertise of its employees to provide
the services needed by the clients. When it is awarded a contract, the customer expects MTC
to quickly provide the consultants and begin work on the project. MTC, like other consulting
companies, cannot afford to carry a significant e number of employees that are not assigned to
contracts. Therefore, they need to determine the likelihood of winning a new contract and
ensure the appropriately skilled consultants are ready to go to work within 60 days of signing
the contract. MTC relies on its Human Resources (HR) Department to find, research, and assess
applicants so that line managers can review and select their top candidates and hire
appropriate consultants to meet their needs for current new contracts. It is very much a “just
in time” hiring situation.
The Headquarters in Baltimore, Maryland, houses approximately 350 employees. Satellite
offices have been opened in the last two years in both Herndon, Virginia and Bethesda,
Maryland to provide close proximity to existing clients. It is anticipated that new pending
contracts would add staff to all locations. The management team believes there is capacity at
all locations, as much of the consultants’ work is done on-site at the clients’ locations.
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 3
Strategic Direction
As a small to mid-size business (SMB), MTC recognizes that it needs to carefully plan its future
strategy. Considering the competitive environment that contains many very large IT consulting
firms, such as Hewlett-Packard (HP), Booz Allen Hamilton (BAH), and Science Applications
International Corporation (SAIC), as well as numerous smaller companies with various skill sets,
market niches, and established customer bases, MTC will be evaluating how best to position
itself for the future and recognizes that its ability to identify its core competencies, move with
agility and flexibility, and deliver consistent high quality service to its clients is critical for
continued success. MTC’s plan for growth includes growing by 7% per year over the next five
years. This would require an increase in consulting contract overall volume and an expanded
workforce. One area that is critical to a consulting company is the ability to have employees
who possess the necessary knowledge and skills to fulfill current and future contracts. Given
the intense competition in the IT consulting sector, MTC is planning to incorporate a few
consultants in other countries to provide remote research and analysis support to the on-site U.
S. teams. Since MTC has no experience in the global marketplace, the Director of HR has begun
examining international labor laws to determine where MTC should recruit and hire employees.
Challenges
Increased business creates a need to hire IT consultants more quickly. Overall, the Director of
HR is concerned that the current manual process of recruiting and hiring employees will not
allow his department to be responsive to the demands of future growth and increased hiring
requirements. There are currently two contracts that MTC expects to win very soon will require
the hiring of an additional 75 consultants very quickly. He is looking for a near-term solution
that will automate many of the manual hiring process steps and reduce the time it takes to hire
new staff. He is also looking for a solution that will allow MTC to hire employees located in
other countries around the world.
Management Direction
The management team has been discussing how to ramp up to fill the requirements of the two
new contracts and prepare the company to continue growing as additional contracts are
awarded in the future. The company has been steadily growing and thus far hiring of new
employees has been handled through a process that is largely manual. The HR Director
reported that his staff will be unable to handle the expanded hiring projections as well as
accommodate the hiring of the 75 new employees in the timeframe required. The Chief
Information Officer (CIO) then recommended that the company look for a commercial off-the-
shelf software product that can dramatically improve the hiring process and shorten the time it
takes to hire new employees. The Chief Financial Officer (CFO) wants to ensure that all
investments are in line with the corporate mission and will achieve the desired return on
investment. She will be looking for clear information that proposals have been well researched,
provide a needed capability for the organization, and can be cost-effectively implemented in a
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 4
relatively short period of time to reap the benefits. The CEO has asked HR to work with the CIO
to recommend a solution.
Your Task
As a business analyst assigned to HR, you have been assigned to conduct an analysis, develop a
set of system requirements, evaluate a proposed solution, and develop an implementation plan
for an IT solution (applicant tracking system hiring system) to improve the hiring process. You
have begun your analysis by conducting a series of interviews with key stakeholders to collect
information about the current hiring process and the requirements for a technology solution to
improve the hiring process. Based on your analysis and in coordination with key users you will
produce a Business Analysis and System Recommendation Report (BA&SR) as your final
deliverable.
Interviews
In the interviews you conducted with the organizational leaders, you hear the comments
recorded below.
CEO: Samuel Johnson
“While I trust my HR staff to address the nuts and bolts of the staffing processes, what is
critically important to me is that the right people can be in place to fulfill our current contracts
and additional talented staff can be quickly hired to address needs of future contracts that we
win. I can’t be out in the market soliciting new business if we can’t deliver on what we’re
selling. Our reputation is largely dependent on having knowledgeable and capable staff to
deliver the services our clients are paying for and expect from MTC.”
CFO: Evelyn Liu
“So glad we’re talking about this initiative. As CFO, obviously I’m focused on the bottom line. I
also recognize it’s necessary to invest in certain areas to ensure our viability moving forward. I
recognize that the current manual hiring process is inefficient and not cost-effective. Having
technology solutions that improve current process and enable future functionality is very
important to MTC’s success. We must consider the total cost of ownership of any technology
we adopt. MTC is run as a lean-and-mean organization and support processes must be effective
but not overbuilt. We do want to think towards the future and our strategic goals as well and
don’t want to invest in technology with a short shelf-life. Along those lines, we currently have a
timekeeping and payroll system that requires input from the hiring process to be entered to
establish new employees; and to help support our bottom line financially, any new solution
should effectively integrate with, but not replace, those systems.
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 5
CIO: Raj Patel
“As a member of the IT Department, you have a good understanding of our overall architecture
and strategy; however, let me emphasize a few things I want to be sure we keep in mind for this
project. Any solution needs to be compatible with our existing architecture and systems as
appropriate. Obviously, we have chosen not to maintain a large software development staff so
building a solution from the ground up does not fit our IT strategic plan. Our current strategy
has been to adopt Software as a Service (SaaS) solutions that can be deployed relatively quickly
and leverage industry best practices at a low total cost. In addition, our distributed workforce
means we are very dependent on mobile computing – this brings some challenges in term of
portability, maintenance, and solutions that present well on mobile devices. We’ve been
expanding at a rapid rate and are seeking to expand internationally so any solution will need to
be viable globally. And last, but certainly not least, MTC’s success is largely dependent on our
ability to satisfy the requirements of our clients and maintain a reputation of high credibility,
reliability and security. Any security breach of our applicants’ data could have a devastating
effect to our ability to compete for new business as well as maintain current clients. Any
technology solution adopted by MTC must contain clear security measures to control access and
protect data and allow us to use our current security for mobile links. I recognize that MTC can
no longer rely on a manual hiring process to meet these needs.”
Director of HR: Joseph Cummings
“Thanks for talking with me today. I see this effort as very important to the success of
MTC. While the recruiting staff has done an excellent job of hiring top IT consultants, the rapid
growth to date and future plans for expansion have pushed our recruiting staff, and we
recognize we can no longer meet the hiring and staffing demands with manual processes. I’m
also interested in solutions that are easy-to-use and can interface with our existing systems and
enhance processes. I’m willing to consider a basic system that can grow as MTC grows and
provide more capabilities in the future. I’m sure Sofia, our Manager of Recruiting, can provide
more specifics.”
Manager of Recruiting: Sofia Perez
“You don’t know how long I’ve been waiting to begin the process of finding a technology
solution to support our recruiting processes. In addition to myself, there are 2-3 full-time
recruiters who have been very busy keeping up with the increased hiring at MTC; and there are
no plans to increase the recruiting staff. It goes without saying that a consulting company is
dependent on having well-qualified employees to deliver to our customers. We’re in a
competitive market for IT talent and want to be able to recruit efficiently, process applicants
quickly, and move to making a job offer to the best candidate before the competition snaps
him/her up. When I talk with my colleagues in other companies, they mention applicant
tracking systems that have enabled them to reduce their hiring time by 15-20%. I’m so envious
of them and look forward to having our new solution in place before the next set of contracts
are won and we need to hire 75 (to as many as 150) staff in a 2-month period. I do not think my
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 6
team can handle such an increase in an efficient and effective manner. On-going growth at
MTC will continue to increase the demands to hire more consultants quickly. It really seems like
there would be a rapid return on investment in a technology solution to support and improve
the hiring process.”
Recruiters: Peter O’Neil (along with Mike Thomas and Jennifer Blackwell)
“This project should have happened 2 years ago but glad it’s finally getting some attention. As a
recruiter, I’m sort of the middleperson in this process. On one hand, we have the job applicant
who is anxious to know the status of his/her application and fit for the advertised position. It’s
important that the recruiters represent MTC well, as we want the best applicants to want to
come to work for us. Then we have the actual hiring manager in one of our business areas who
has issued the job requisition and wants to get the best applicant hired as quickly as possible.
Obviously recruiting is not the hiring manager’s full-time job, so we’re always competing for
time with other job responsibilities, so we can keep things moving as quickly as possible. They
provide us with job descriptions to meet the needs of clients and look to us to screen resumes
and only forward the best qualified applicants to them so they can quickly identify their top
candidates. Working with Tom, our administrative assistant, we need interviews to be
scheduled to accommodate everyone’s calendars. After the hiring managers make their final
selections of who they would like to hire, it is our task to get the job offers presented to the
candidates – hopefully for their acceptance. Everything is very time sensitive, and the current
process is not nearly as efficient as it could be. Applications and resumes can get lost in
interoffice mail or buried in email; and, when a hiring manager calls us, we often cannot
immediately provide the status of where an applicant is in the process. This can be very
frustrating all around. Speaking for myself and the other recruiters, I have high expectations for
this solution. We need to really be able to deliver world-class service to MTC in the recruiting
and hiring areas to meet the business goals.”
Administrative Assistant: Tom Arbuckle
“I support the recruiters in the hiring process. After the recruiters screen the resumes and select
the best candidates for a position, my job is to route those applications and resumes via
interoffice mail to the respective functional/hiring manager, receive his or her feedback on who
to interview and who should be involved in the interviews, schedule the interviews based on
availability of applicants and the interview team members, collect the feedback from the
interview team and inform the assigned recruiter of the status of each candidate who was
interviewed. In addition to preparing the job offer letter based on the recruiter’s direction, after
a job offer has been made and accepted, I coordinate the paperwork for the new hire with HR
and Payroll to ensure everything is ready to go on the first day. As you can imagine when hiring
volume is up, I’m buried in paperwork and trying to keep all the applicants and their resumes
straight, track their status in the process, and ensure everyone has what they need is very
challenging. I love my job, but want to ensure I can continue to keep on top of the increased
hiring demands and support the recruiting team effectively. Any tool that would help the
workflow and enable many steps in the process to be done electronically would be wonderful.”
Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.
MTC Case Study 11/23/2019 Ver. 1 7
Hiring Manager (in functional area; this person would be the supervisor of the new employee
and would likely issue the job requisition to fill a need in his/her department/team):
“While it’s a good problem to have – new business means new hires — the current method for
screening applications, scheduling interviews, identifying the best qualified applicants, and
getting a job offer to them is not working. My team is evaluated on the level of service we
provide our clients, and it is very important that we have well-qualified staff members to fulfill
our contracts. Turnover is common in the IT world and that along with new business
development, makes the need for hiring new staff critical and time-sensitive. I confess that
sometimes I’m not as responsive to HR as I should be; but although hiring new consultants for
the contracts I manage is important to successfully meet the clients’ needs, this is only one of
several areas for which I’m responsible. I look to the recruiters to stay on top of this for me. In
the ideal world, I’d like an electronic dashboard from which I can see the status of any job
openings in my area, information on all qualified candidates who have applied and where they
are in the pipeline. Electronic scheduling of interviews on my calendar would be a real time
saver. It’s important that we impress candidates with our technology and efficiency – after all
we are an IT consulting company—and using manual processes makes us look bad. And, this
system must be easy to use – I don’t have time for training or reading a 100-page user’s
manual. Just need to get my job done.”
Enterprise Systems
First, what do we mean by an enterprise system? This term refers to
systems that integrate data across an enterprise (organization) to support
the business processes related to a variety of business functions—from
basic functions like human and financial resource management to
managing the supply chain and customer relationships. The same system
is used by employees performing a specific function from anywhere in the
organization. Some business functions for which enterprise‐wide
solutions are often used include the following:
• Enterprise Resource Planning (ERP)
• Supply Chain Management (SCM)
• Customer Relationship Management (CRM)
• Enterprise Messaging Systems (to include email)
• Human Resources Management
• Financial Management
• Billing and Payment Processing
• Call Center and Customer Support
• Enterprise Content/Document Management
These functions can be done by one large‐scale, enterprise‐wide system
that integrates several major functions, or through linking (or integrating)
Learning Resource
Enterprise Systems
1 of 11 2/19/2023, 8:31 PM
Link: https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/enterprise-systems.html?wcmmode=disabled
individual systems through a type of middleware—usually referred to as
enterprise application integration (EAI). Generally, it is much more
effective to use a single integrated platform rather than multiple
applications that were not designed to work together.
Enterprise systems can be developed in‐house or acquired as a
commercial off‐the‐shelf (COTS) product. COTS products can be
purchased and implemented on internal servers or acquired as a
Software‐as‐a‐Service (SaaS) from a cloud service provider. To attract
more customers, the COTS/SaaS vendors implement features that all
their customers can benefit from, such as heightened security
protections, support for new industry standards and legislation, and
increased ability to separate system access and update by job function.
The focus in this section will be on COTS systems developed to manage
one or more business functions across the organization. The three most
common types of enterprise systems will be covered: Enterprise Resource
Planning (ERP), Supply Chain Management (SCM) and Customer
Relationship Management (CRM).
Enterprise Resource Planning (ERP) Systems
An ERP system is built to support an integrated approach to managing
some or all of the core processes involved in running a company: human
resources management, financial management, procurement, etc. ERP
systems were originally developed to handle these “back office”
functions. ERP is actually the business process of integrating the core
functions across an organization; the term by itself is not defined as a
“system,” although many people refer to an ERP systems as an “ERP.”
ERP software was developed to implement the ERP process; such
software integrates, standardizes and streamlines (or optimizes) the
business processes across departments. Users of the various functions of
ERP system are presented with common screens and system functions to
allow them to move easily between functional components, and to reduce
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
2 of 11 2/19/2023, 8:31 PM
training costs. Generally, the ERP system operates as a single system with
a common database employing common data definitions. Using one
database saves organizations from updating several systems with the
same data, and provides greater accuracy and collaboration between
departments. Transactions are processed against the database
immediately, and the updated information is available across the
organization immediately. This is in contrast to an organization using
multiple “stovepipe” systems with redundant (and often not synchronized)
data. For example, employee data (name, address, SSN, etc.) is stored
once and can be accessed for payroll, timekeeping, travel expense
reimbursement, facilities access, etc., and if the employee makes a
change, it is changed in one place for all to access.
In summary, the characteristics of an ERP include:
• enterprise‐wide integration,
• a common database,
• real‐time operation and processing of data and transactions, and
• consistent look and feel.
Business Benefits of ERPs
ERPs improve the efficiency and effectiveness of business operations by
providing:
• Integrated information that is consistent across the enterprise and
provides a “single truth” in areas such as
◦ Financial information—There is one set of financial figures that
everyone can use.
◦ HR information—Employees can enter updates directly into the
system, and their skills and experience can be viewed by
managers across the organization.
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
3 of 11 2/19/2023, 8:31 PM
◦ Order information—Orders affect inventory, accounting,
distribution, and manufacturing, all of which can be updated in
the single system when an order is placed.
◦ Customer information—The same customer information is
available to all departments.
• Best practices—The systems are designed to implement best
business practices for each of the functional areas and streamline the
steps in the process, reducing the time required to complete each
process.
• Standardized business processes—All users of the system perform
the function in the same way, and every process is supported by the
system with a similar look and feel for all users, regardless of their
department.
• Lower IT costs—The use of a single system for multiple functions
reduces total costs associated with acquiring, operating, and
maintaining multiple systems; however, if the ERP is significantly
modified to fit the organization, the cost advantage may disappear.
• Reduced training costs—Employees use a similar interface for all
major business functions.
• Consolidated procurements—The use of a single system for
purchasing products provides opportunities to consolidate similar
orders from various departments to receive volume discounts.
• Improved compliance—Time and effort are reduced in responding to
the wide variety of government reporting requirements, including
financial reporting, human resources and wage reporting,
environmental reporting, etc. Compliance is also enforced through
the standardized business processes implemented in the ERP.
ERPs lead to better decision‐making.
• Common data that is shared across the organization is used for
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
4 of 11 2/19/2023, 8:31 PM
analysis and decision‐making.
• Better data improves planning and reporting.
• ERPs promote collaboration across departments and levels of the
organization since all involved have the same version of the facts.
• ERPs support distributed decision‐making, as participants can act
locally in accordance with the guidance provided and the results of
their actions are available throughout the organization.
ERPs lead to increased organizational agility.
• The standardization and simplification of the business processes and
the use of a common system allows the organization to adapt quickly
when necessary.
ERPs provide enhanced security for corporate data.
• Data that is stored in one location can be better secured than data
that is stored in multiple locations, especially since corporate data
may be stored on hundreds of servers and personal computers
anywhere and its existence may even be unknown to the security
specialists.
• Vendors serving multiple customers can provide better and more
extensive security for systems and data than individual organizations
are able to provide.
Industry‐specific ERPs are designed to support the unique business
processes of the industry, such as those required by financial institutions,
service industries, government, health care, higher education, and
hospitality. The way that processes are carried out in each of those can
be quite different. ERPs are also designed specifically for small, small‐to‐
medium size, large, and very large international organizations. The size
and type of organization are taken into account when selecting an ERP.
Major Disadvantages of Implementing ERPs
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
5 of 11 2/19/2023, 8:31 PM
• The time it takes to implement them: Since ERPs are used
throughout the organization, many departments are affected and
much coordination is required. Further, since the ERP may be
replacing a myriad of systems implemented throughout the
organization (including on individual desktop PCs), it takes a
considerable amount of time to discover all those legacy systems and
determine if and how to incorporate the data into the new system.
• The cost of the system: There are initial purchase costs, which can be
quite high, and significant implementation costs to coordinate the
implementation across the enterprise. Depending on the amount of
customization needed, the ongoing maintenance costs can be very
high, since each new release from the vendor needs to be thoroughly
tested, and any modifications already made need to be applied to the
upgraded system.
• Change management is required before, during and after
implementation to align business practices with the way the system
works.
There have been some very well publicized ERP implementation failures,
and you may have witnessed one where you work(ed). Among the causes
of failure are:
• Selecting the wrong ERP. As mentioned above, ERPs are designed
for various sizes of organizations. Choosing an ERP with too many
features may overwhelm a small organization; conversely, not having
enough features to support a very large and diverse organization can
lead to failure. Although ERP systems were originally designed for
large organizations, there are now many products available for small
to mid‐sized businesses.
• Customizing the ERP. When organizations implement an ERP, their
business processes must be adapted to the way the system is
designed. If an enterprise determines that they will modify the
software to match their process, many issues are introduced. The
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
6 of 11 2/19/2023, 8:31 PM
time to implement and the costs go up significantly, as does the risk.
Future upgrades from the vendor may not function without
significant code changes due to the customization.
• Employee resistance. People resist change, but employee resistance
seems much more common with ERPs, where the changes are more
pervasive and obvious. The process changes that an ERP requires
may remove flexibility formerly enjoyed by the staff, who might
perceive a loss of autonomy and control.
• Lack of common data definitions. When an ERP is implemented,
data from multiple stovepipe systems must be migrated to the single
database. Most often those legacy systems each have their own
definitions and formats for the data – and the same data item stored
in different systems may be called by a different name and/or may be
formatted differently. Before the data can be loaded into the ERP, a
common set of definitions and formats is needed. For some
organizations, this is an insurmountable problem, and they end up
abandoning their ERP implementation.
ERP Summary
ERP systems have been extended in many organizations to include
seamless integration of supply chain management (SCM) and customer
relationship management (CRM) processes and data across the
organization. Linked with ERPs, SCM and CRM systems provide the end‐
to‐end visibility of a company’s information; the ERP provides the “glue”
to allow all the systems of an enterprise to work together to get the right
information to the right people at the right time.
By now two things should be clear:
1. Effective ERPs can provide great strategic advantage to an
organization and help break down the stovepipes of informa
tion
aligned to specific functions (like human resources, finance, etc.).
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
7 of 11 2/19/2023, 8:31 PM
2. ERPs require significant investment of time and money and can be
very expensive to effectively select and implement.
Supply Chain Management (SCM) Systems
If you think of the basic model of a business, it is: input/process/output.
Resources (human, financial or supply resources) come in, and then the
work of the company is to transform them some way into something that
customers want (process), and then provide it to the customers (output)—
the output could be to wholesalers, retailers, or individual customers. A
simplistic overview of the input/process/output supply business model is
provided in the table below:
Input/Process/Output Supply Business Model
Industry Input Process Output
Manufacturing Raw materials Combine raw
materials to
make a product
Product
Consulting Information;
human capital
(analysts)
Analysis Report
Restaurant Fresh or frozen
food
Cooking/Prepara
tion
Meals
SCM can be thought of as “the management of the chain of supplies.” It
encompasses the range of activities needed to plan, manage, and execute
the development of the product, from the acquisition of raw materials,
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
8 of 11 2/19/2023, 8:31 PM
through production and distribution, all the way to the final customer.
The objective is to do so in the most cost‐effective manner possible.
In the example of a simplified manufacturing supply chain, we might start
with several suppliers of raw materials—all the things needed to make the
product. Each of these items may come from a different supplier, in
different quantities, and on different schedules. All of the necessary items
need to be assembled at the manufacturing plant and then they are put
together to make the product. The product then is shipped to a
warehouse where it is stored. At the appropriate time, product is moved
from the warehouse to a retail store, where it is put on a shelf to be sold.
The supply chain does not stop there. After the product is sold, it may
need service, or the customer may wish to return it. Every one of these
steps have costs and complexity associated with them. Through SCM,
both management and employees can view what’s happening along the
supply chain to make better decisions. Each step in the supply chain
provides an opportunity to impact profitability, quality, etc.
In today’s world, it is impossible to have an effective supply chain without
the use of technology, including the right technology solution to
implement the business strategy. Companies compete on the basis of
who has the right product, in the right place, at the right time. Once
again, getting the right information to the right people at the right time is
critical to successful SCM, and that is exactly what good SCM systems do.
Businesses use SCM to plan, source, make, deliver, and return their
products. SCM helps them develop a plan for managing all the resources
needed; choose reliable suppliers; manufacture their products or services;
implement their logistics processes (receive and fulfill orders and receive
payment); and provide for returns, excess product, and customer support.
This is an iterative process that goes on continuously as companies
monitor, evaluate, and modify their supply chains. SCM is a clear example
of the relationship between people, information, business processes, and
information technology.
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
9 of 11 2/19/2023, 8:31 PM
Customer Relationship Management (CRM)
Systems
CRM, like ERP and SCM, is a business philosophy, not a technology,
although many people use the term to represent a system. CRM is based
on the idea that a strong competitive advantage can be achieved by
understanding customer needs. Companies that recognize that their
customers are not just generators of revenue but are valued assets are
moving quickly from a focus on their product to a focus on the customers.
As companies deal with customers around the world and expanding
competition, they find that adopting a CRM strategy is essential. It costs
much less to make a repeat sale to an existing customer than it costs to
make a sale to a new customer.
CRM helps organizations of all sizes, but the larger the company, the
more complex the problems become. Here’s where an information system
can provide immense value—allowing the company to capture
information, make it available to all functions that need to know
something about the customers, and provide superior customer service.
In addition, the availability of this data enables companies to analyze the
information to determine patterns and trends in customer habits, analyze
demographic profiles of customers to target marketing campaigns, and
identify ways to build customer loyalty. CRM systems can link customer
information from a variety of sources, including social media. While they
are designed for use by marketing, sales, and support organizations, the
information they contain can inform a wide variety of business decisions,
such as production levels, geographic distribution of their products,
markets for new products, etc.
ERP, SCM, or CRM System?
SCM and CRM systems bring similar advantages and disadvantages to
those discussed above for an ERP. Organizations determine which type
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
10 of 11 2/19/2023, 8:31 PM
of enterprise system is appropriate based on analysis of the requirements
of the organization, just as for any other system. If the organization
simply wishes to automate its “back office” functions, then an ERP
(focused on accounting or finance) may suffice. If the organization can
take advantage of an industry‐specific ERP to perform those functions in
a way that is uniquely suited to the industry, then that is the category of
ERP that should be researched. If the organization needs supply chain or
customer relationship management tools, and already has an ERP in place,
it might look for additional modules from the ERP vendor to perform
those functions. Such solutions should come with built‐in integration with
the ERP, which could greatly benefit the organization. If an SCM or a
CRM is needed and there is no ERP in place, the organization should
consider the totality of its requirements and determine whether a
combined capability is needed or a point solution (just SCM or CRM) is
what is needed. Certainly an SCM or a CRM can be implemented on its
own, but as the organization looks forward, it may wish to select such a
system that has the ability to be expanded to include other modules as
may be needed in the future. The selection should, therefore, be based on
a combination of what the needs are, what systems are already in place,
and what future needs should be considered.
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the
validity or integrity of information located at external sites.
Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
11 of 11 2/19/2023, 8:31 PM
Information Systems Security
Introduction
As computers and other digital devices have become essential to business
and commerce, they have also increasingly become a target for attacks. In
order for a company or an individual to use a computing device with
confidence, they must first be assured that the device is not compromised
in any way and that all communications will be secure. In this reading, we
will review the fundamental concepts of information systems security and
discuss some of the measures that can be taken to mitigate security
threats. We will begin with an overview focusing on how organizations
can stay secure. Several different measures that a company can take to
improve security will be discussed. We will then follow up by reviewing
security precautions that individuals can take in order to secure their
personal computing environment.
The Information Security Triad: Confidentiality,
Integrity, Availability (CIA)
Confidentiality
When protecting information, we want to be able to restrict access to
those who are allowed to see it; everyone else should be disallowed from
learning anything about its contents. This is the essence of
Learning Resource
Information Systems Security
1 of 20 2/19/2023, 8:30 PM
Link: https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/information-systemssecurity.html?
wcmmode=disabled#
confidentiality. For example, federal law requires that universities restrict
access to private student information. The university must be sure that
only those who are authorized have access to view the grade records.
The Information Security Triad
Integrity
Integrity is the assurance that the information being accessed has not
been altered and truly represents what is intended. Just as a person with
integrity means what he or she says and can be trusted to consistently
represent the truth, information integrity means information truly
represents its intended meaning. Information can lose its integrity
through malicious intent, such as when someone who is not authorized
makes a change to intentionally misrepresent something. An example of
this would be when a hacker is hired to go into the university’s system
and change a grade.
Integrity can also be lost unintentionally, such as when a computer power
surge corrupts a file or someone authorized to make a change
accidentally deletes a file or enters incorrect information.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
2 of 20 2/19/2023, 8:30 PM
Availability
Information availability is the third part of the CIA triad. Availability
means that information can be accessed and modified by anyone
authorized to do so in an appropriate time frame. Depending on the type
of information, appropriate time frame can mean different things. For
example, a stock trader needs information to be available immediately,
while a salesperson may be happy to get sales numbers for the day in a
report the next morning. Companies such as Amazon.com will require
their servers to be available 24 hours a day, 7 days a week. Other
companies may not suffer if their web servers are down for a few minutes
once in a while.
Tools for Information Security
In order to ensure the confidentiality, integrity, and availability of
information, organizations can choose from a variety of tools. Each of
these tools can be utilized as part of an overall information‐security
policy, which will be discussed in “Security Policies.”
Authentication
The most common way to identify someone is through their physical
appearance, but how do we identify someone sitting behind a computer
screen or at the ATM? Tools for authentication are used to ensure that
the person accessing the information is, indeed, who they present
themselves to be.
Authentication can be accomplished by identifying someone through one
or more of three factors: something they know, something they have, or
something they are. For example, the most common form of
authentication today is the user ID and password. In this case, the
authentication is done by confirming something that the user knows
(their ID and password). But this form of authentication is easy to
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
3 of 20 2/19/2023, 8:30 PM
compromise (see “Password Security” below) and stronger forms of
authentication are sometimes needed. Identifying someone only by
something they have, such as a key or a card, can also be problematic.
When that identifying token is lost or stolen, the identity can be easily
stolen. The final factor, something you are, is much harder to
compromise. This factor identifies a user through the use of a physical
characteristic, such as an eye‐scan or fingerprint. Identifying someone
through their physical characteristics is called biometrics.
A more secure way to authenticate a user is to do multi‐factor
authentication. By combining two or more of the factors listed above, it
becomes much more difficult for someone to misrepresent themselves.
An example of this would be the use of an RSA SecurID token. The RSA
device is something you have and will generate a new access code every
60 seconds. To log in to an information resource using the RSA device,
you combine something you know, a four‐digit PIN, with the code
generated by the device. The only way to properly authenticate is by both
knowing the code and having the RSA device.
Access Control
Once a user has been authenticated, the next step is to ensure that they
can only access the information resources that are appropriate. This is
done through the use of access control. Access control determines which
users are authorized to read, modify, add, and/or delete information.
Several different access control models exist. Here we will discuss two:
the access control list (ACL) and role‐based access control (RBAC).
For each information resource that an organization wishes to manage, a
list of users who have the ability to take specific actions can be created.
This is an access control list, or ACL. For each user, specific capabilities
are assigned, such as read, write, delete, or add. Only users with those
capabilities are allowed to perform those functions. If a user is not on the
list, they have no ability to even know that the information resource
exists.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
4 of 20 2/19/2023, 8:30 PM
ACLs are simple to understand and maintain. However, they have several
drawbacks. The primary drawback is that each information resource is
managed separately, so if a security administrator wanted to add or
remove a user to a large set of information resources, it would be quite
difficult. And as the number of users and resources increase, ACLs
become harder to maintain. This has led to an improved method of access
control, called role‐based access control, or RBAC. With RBAC, instead of
giving specific users access rights to an information resource, users are
assigned to roles and then those roles are assigned the access. This allows
the administrators to manage users and roles separately, simplifying
administration and, by extension, improving security.
Comparison of ACL and RBAC
Access control list (ACL) and role‐based access control (RBAC)
Encryption
Many times, an organization needs to transmit information over the
Internet or transfer it on external media such as a CD or flash drive. In
these cases, even with proper authentication and access control, it is
possible for an unauthorized person to get access to the data. Encryption
is a process of encoding data upon its transmission or storage so that only
authorized individuals can read it. This encoding is accomplished by a
computer program, which encodes the plain text that needs to be
transmitted; then the recipient receives the cipher text and decodes it
(decryption). In order for this to work, the sender and receiver need to
agree on the method of encoding so that both parties can communicate
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
5 of 20 2/19/2023, 8:30 PM
properly. Both parties share the encryption key, enabling them to encode
and decode each other’s messages. This is called symmetric key
encryption. This type of encryption is problematic because the key is
available in two different places.
An alternative to symmetric key encryption is public key encryption. In
public key encryption, two keys are used: a public key and a private key.
To send an encrypted message, you obtain the public key, encode the
message, and send it. The recipient then uses the private key to decode it.
The public key can be given to anyone who wishes to send the recipient a
message. Each user simply needs one private key and one public key in
order to secure messages. The private key is necessary in order to decrypt
something sent with the public key.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
6 of 20 2/19/2023, 8:30 PM
Public Key Encryption
Sender uses public key to encode, and reader uses private key to decode
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
7 of 20 2/19/2023, 8:30 PM
Password Security
So why is using just a simple user ID/password not considered a
secure method of authentication? It turns out that this single‐factor
authentication is extremely easy to compromise. Good password
policies must be put in place in order to ensure that passwords
cannot be compromised. Below are some of the more common
policies that organizations should put in place.
• Require complex passwords. One reason passwords are
compromised is that they can be easily guessed. A study found
that the top three passwords people used in 2012 were
“password,” 123456 and 12345678 (Gallagher, 2012). A
password should not be simple, or a word that can be found in a
dictionary. One of the first things a hacker will do is try to crack
a password by testing every term in the dictionary. Instead, a
good password policy is one that requires the use of a minimum
of eight characters, and at least one uppercase letter, one
special character, and one number.
• Change passwords regularly. It is essential that users change
their passwords on a regular basis. Users should change their
passwords every 60 to 90 days, ensuring that any passwords
that might have been stolen or guessed will not be able to be
used against the company.
• Train employees not to give away passwords. One of the
primary methods that is used to steal passwords is to simply
figure them out by asking the users or administrators.
Pretexting occurs when an attacker calls a helpdesk or security
administrator and pretends to be a particular authorized user
having trouble logging in. Then, by providing some personal
information about the authorized user, the attacker convinces
the security person to reset the password and tell him what it is.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
8 of 20 2/19/2023, 8:30 PM
Another way that employees may be tricked into giving away
passwords is through email phishing. Phishing occurs when a
user receives an email that looks as if it is from a trusted source,
such as their bank, or their employer. In the email, the user is
asked to click a link and log in to a website that mimics the
genuine website and enter their ID and password, which are
then captured by the attacker.
Backups
Another essential tool for information security is a comprehensive backup
plan for the entire organization. Not only should the data on the
corporate servers be backed up, but individual computers used
throughout the organization should also be backed up. A good backup
plan should consist of several components.
• A full understanding of the organizational information resources.
What information does the organization actually have? Where is it
stored? Some data may be stored on the organization’s servers, other
data on users’ hard drives, some in the cloud, and some on third‐
party sites. An organization should make a full inventory of all of the
information that needs to be backed up and determine the best way
to back it up.
• Regular backups of all data. The frequency of backups should be
based on how important the data is to the company, combined with
the ability of the company to replace any data that is lost. Critical
data should be backed up daily, while less critical data could be
backed up weekly.
• Off‐site storage of backup data sets. If all of the backup data is being
stored in the same facility as the original copies of the data, then a
single event, such as an earthquake, fire, or tornado, would take out
both the original data and the backup! It is essential that part of the
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
9 of 20 2/19/2023, 8:30 PM
backup plan is to store the data in an off‐site location.
• Test of data restoration. On a regular basis, the backups should be
put to the test by having some of the data restored. This will ensure
that the process is working and will give the organization confidence
in the backup plan.
Besides these considerations, organizations should also examine their
operations to determine what effect downtime would have on their
business. If their information technology were to be unavailable for any
sustained period of time, how would it impact the business?
Additional concepts related to backup include the following:
• Universal Power Supply (UPS). A UPS is a device that provides
battery backup to critical components of the system, allowing them
to stay online longer and/or allowing the IT staff to shut them down
using proper procedures in order to prevent the data loss that might
occur from a power failure.
• Alternate, or “hot” sites. Some organizations choose to have an
alternate site where an exact replica of their critical data is always
kept up to date. When the primary site goes down, the alternate site
is immediately brought online so that there is little or no downtime.
As information has become a strategic asset, a whole industry has sprung
up around the technologies necessary for implementing a proper backup
strategy. A company can contract with a service provider to back up all of
their data or they can purchase large amounts of online storage space and
do it themselves. Technologies such as storage area networks and archival
systems are now used by most large businesses.
Firewalls
Another method that an organization should use to increase security on
its network is a firewall. A firewall can exist as hardware or software (or
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
10 of 20 2/19/2023, 8:30 PM
both). A hardware firewall is a device that is connected to the network
and filters the packets based on a set of rules. A software firewall runs on
the operating system and intercepts packets as they arrive to a computer.
A firewall protects all company servers and computers by stopping
packets from outside the organization’s network that do not meet a strict
set of criteria. A firewall may also be configured to restrict the flow of
packets leaving the organization. This may be done to eliminate the
possibility of employees watching YouTube videos or using Facebook from
a company computer.
Network Demilitarized Zone (DMZ)
Partially secured section of a network
Some organizations may choose to implement multiple firewalls as part of
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
11 of 20 2/19/2023, 8:30 PM
their network security configuration, creating one or more sections of
their network that are partially secured. This segment of the network is
referred to as a DMZ, borrowing the term demilitarized zone from the
military, and it is where an organization may place resources that need
broader access, but still need to be secured.
Intrusion Detection Systems
Another device that can be placed on the network for security purposes
is an intrusion detection system, or IDS. An IDS does not add any
additional security; instead, it provides the functionality to identify if the
network is being attacked. An IDS can be configured to watch for specific
types of activities and then alert security personnel if that activity occurs.
An IDS also can log various types of traffic on the network for analysis
later. An IDS is an essential part of any good security setup.
Virtual Private Networks
Using firewalls and other security technologies, organizations can
effectively protect many of their information resources by making
them invisible to the outside world. But what if an employee working
from home requires access to some of these resources? What if a
consultant is hired who needs to do work on the internal corporate
network from a remote location? In these cases, a virtual private
network (VPN) is called for.
A VPN allows a user who is outside of a corporate network to take a
detour around the firewall and access the internal network from the
outside. Through a combination of software and security measures,
this lets an organization allow limited access to its networks while at
the same time ensuring overall security.
Physical Security
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
12 of 20 2/19/2023, 8:30 PM
An organization can implement the best authentication scheme in the
world, develop the best access control, and install firewalls and intrusion
prevention, but its security cannot be complete without implementation
of physical security. Physical security is the protection of the actual
hardware and networking components that store and transmit
information resources. To implement physical security, an organization
must identify all of the vulnerable resources and take measures to ensure
that these resources cannot be physically tampered with or stolen. These
measures include the following.
• Locked doors. It may seem obvious, but all the security in the world
is useless if an intruder can simply walk in and physically remove a
computing device. High‐value information assets should be secured
in a location with limited access.
• Physical intrusion detection. High‐value information assets should be
monitored through the use of security cameras and other means to
detect unauthorized access to the physical locations where they
exist.
• Secured equipment. Devices should be locked down to prevent them
from being stolen. One employee’s hard drive could contain all of
your customer information, so it is essential that it be secured.
• Environmental monitoring. An organization’s servers and other high‐
value equipment should always be kept in a room that is monitored
for temperature, humidity, and airflow. The risk of a server failure
rises when these factors go out of a specified range.
• Employee training. One of the most common ways thieves steal
corporate information is to steal employee laptops while employees
are traveling. Employees should be trained to secure their equipment
whenever they are away from the office.
Security Policies
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
13 of 20 2/19/2023, 8:30 PM
Besides the technical controls listed above, organizations also need to
implement security policies as a form of administrative control. In fact,
these policies should really be a starting point in developing an overall
security plan. A good information‐security policy lays out the guidelines
for employee use of the information resources of the company and
provides the company recourse in case an employee violates a policy.
According to the SANS Institute, a good policy is “a formal, brief, and
high‐level statement or plan that embraces an organization’s general
beliefs, goals, objectives, and acceptable procedures for a specified
subject area.” Policies require compliance; failure to comply with a policy
will result in disciplinary action. A policy does not lay out the specific
technical details, instead it focuses on the desired results. A security
policy should be based on the guiding principles of confidentiality,
integrity, and availability (SANS Institute,
n.d.).
A good example of a security policy that many will be familiar with is a
web use policy. A web use policy lays out the responsibilities of company
employees as they use company resources to access the Internet.
A security policy should also address any governmental or industry
regulations that apply to the organization. For example, if the
organization is a university, it must be aware of the Family Educational
Rights and Privacy Act (FERPA), which restricts who has access to student
information. Health care organizations are obligated to follow several
regulations, such as the Health Insurance Portability and Accountability
Act (HIPAA).
A good resource for learning more about security policies is the SANS
Institute’s Information Security Policy Page.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
14 of 20 2/19/2023, 8:30 PM
Mobile Security
As the use of mobile devices such as smartphones and tablets
proliferates, organizations must be ready to address the unique
security concerns that the use of these devices bring. One of the
first questions an organization must consider is whether to allow
mobile devices in the workplace at all. Many employees already have
these devices, so the question becomes: Should we allow employees
to bring their own devices and use them as part of their employment
activities? Or should we provide the devices to our employees?
Creating a BYOD (“Bring Your Own Device”) policy allows employees
to integrate themselves more fully into their job and can bring higher
employee satisfaction and productivity. In many cases, it may be
virtually impossible to prevent employees from having their own
smartphones or iPads in the workplace. If the organization provides
the devices to its employees, it gains more control over use of the
devices, but it also exposes itself to the possibility of an
administrative (and costly) mess.
Mobile devices can pose many unique security challenges to an
organization. Probably one of the biggest concerns is theft of
intellectual property. For an employee with malicious intent, it would
be a very simple process to connect a mobile device either to a
computer via the USB port, or wirelessly to the corporate network,
and download confidential data. It would also be easy to secretly
take a high‐quality picture using a built‐in camera.
When an employee does have permission to access and save
company data on his or her device, a different security threat
emerges: that device now becomes a target for thieves. Theft of
mobile devices (in this case, including laptops) is one of the primary
methods that data thieves use.
So what can be done to secure mobile devices? It will start with a
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
15 of 20 2/19/2023, 8:30 PM
good policy regarding their use. According to a 2013 SANS study,
organizations should consider developing a mobile device policy that
addresses the following issues: use of the camera, use of voice
recording, application purchases, encryption at rest, Wi‐Fi
autoconnect settings, bluetooth settings, VPN use, password
settings, lost or stolen device reporting, and backup (SANS Institute,
n.d.).
Besides policies, there are several different tools that an organization
can use to mitigate some of these risks. For example, if a device is
stolen or lost, geolocation software can help the organization find it.
In some cases, it may even make sense to install remote data‐
removal software, which will remove data from a device if it becomes
a security risk.
Usability
When looking to secure information resources, organizations must
balance the need for security with users’ need to effectively access and
use these resources. If a system’s security measures make it difficult to
use, then users will find ways around the security, which may make the
system more vulnerable than it would have been without the security
measures! Take, for example, password policies. If the organization
requires an extremely long password with several special characters, an
employee may resort to writing it down and putting it in a drawer since it
will be impossible to memorize.
Personal Information Security
There is no way to have 100% security, but there are several simple steps
we, as individuals, can take to make ourselves more secure.
• Keep your software up to date. Whenever a software vendor
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
16 of 20 2/19/2023, 8:30 PM
determines that a security flaw has been found in their software,
they will release an update to the software that you can download to
fix the problem. Turn on automatic updating on your computer to
automate this process.
• Install antivirus software and keep it up to date. There are many
good antivirus software packages on the market today, including free
ones.
• Be smart about your connections. You should be aware of your
surroundings. When connecting to a Wi‐Fi network in a public place,
be aware that you could be at risk of being spied on by others
sharing that network. It is advisable not to access your financial or
personal data while attached to a Wi‐Fi hotspot. You should also be
aware that connecting USB flash drives to your device could also put
you at risk. Do not attach an unfamiliar flash drive to your device
unless you can scan it first with your security software.
• Back up your data. Just as organizations need to back up their data,
individuals need to as well. And the same rules apply: do it regularly
and keep a copy of it in another location. One simple solution for this
is to set up an account with an online backup service, such as Mozy
or Carbonite, to automate your backups.
• Secure your accounts with two‐factor authentication. Most email
and social media providers now have a two‐factor authentication
option. The way this works is simple: When you log in to your
account from an unfamiliar computer for the first time, it sends you a
text message with a code that you must enter to confirm that you
are really you. This means that no one else can log in to your
accounts without knowing your password and having your mobile
phone with them.
• Make your passwords long, strong, and unique. For your personal
passwords, you should follow the same rules that are recommended
for organizations. Your passwords should be long (eight or more
characters) and contain at least two of the following: uppercase
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
17 of 20 2/19/2023, 8:30 PM
letters, numbers, and special characters. You also should use
different passwords for different accounts, so that if someone steals
your password for one account, they still are locked out of your
other accounts.
• Be suspicious of strange links and attachments. When you receive an
email, tweet, or Facebook post, be suspicious of any links or
attachments included there. Do not click on the link directly if you
are at all suspicious. Instead, if you want to access the website, find
it yourself and navigate to it directly.
You can find more about these steps and many other ways to be secure
with your computing by going to Stop. Think. Connect. This website is
part of a campaign that was launched in October of 2010 by the STOP.
THINK. CONNECT. Messaging Convention in partnership with the US
government, including the White House.
Summary
As computing and networking resources have become more and more an
integral part of business, they have also become a target of criminals.
Organizations must be vigilant with the way they protect their resources.
The same holds true for us personally: as digital devices become more
and more intertwined with our lives, it becomes crucial for us to
understand how to protect ourselves.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
18 of 20 2/19/2023, 8:30 PM
Study Questions
1. Briefly define each of the three members of the information
security triad.
2. What does the term authentication mean?
3. What is multi‐factor authentication?
4. What is role‐based access control?
5. What is the purpose of encryption?
6. What are two good examples of a complex password?
7. What is pretexting?
8. What are the components of a good backup plan?
9. What is a firewall?
10. What does the term physical security mean?
References
Gallagher, S. (2012, November 3) Born to be breached. Retrieved on May
15, 2013, from http://arstechnica.com/information‐technology/2012/11
/born‐to‐be‐breached‐the‐worst‐passwords‐are‐still‐the‐most‐common/
SANS Institute (n.d.). A short primer for developing security policies.
Retrieved from http://www.sans.org/security‐resources/policies/
SANS Institute (n.d.). SANS Institute’s mobile device checklist. Retrieved
from www.sans.org/score/checklists/mobile‐device‐checklist.xls
Licenses and Attributions
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
19 of 20 2/19/2023, 8:30 PM
Chapter 6: Information Systems Security (https://www.saylor.org
/site/textbooks
/Information%20Systems%20for%20Business%20and%20Beyond )
from Information Systems for Business and Beyond by David T. Bourgeois
is available under a Creative Commons Attribution 3.0 Unported
(https://creativecommons.org/licenses/by/3.0/) license. © 2014, David
T. Bourgeois. UMGC has modified this work and it is available under the
original license.
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the
validity or integrity of information located at external sites.
Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…
20 of 20 2/19/2023, 8:30 PM
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/
https://creativecommons.org/licenses/by/3.0/