IFSM 300 Stage 3-Assignment

Maryland Technology Consultants (MTC)

IFSM 300 Information Systems in Organizations

01/25/2023

Introduction

Maryland Technology Consultants is an accessing firm that specializes in providing Information Technology (IT) solutions to clients. The firm uses proven methodologies to deliver measurable results and enhance business performance. The provision of IT consulting and outsourcing services will be the main topics of the Business Analysis and System Recommendations (BA&SR) report on MTC’s commercial zone. Therefore, the report aims to create a strategic plan for implementing an onboarding program or recruiting system to enhance MTC’s recruitment procedure. The report will employ a four-stage strategy to accomplish this goal. Each of them examines a different portion of the study. The report will emphasize providing exceptional consulting guidance and advice to its customers by hiring highly qualified experts and keeping up to date with cutting-edge business technologies and innovations.

I.

Strategic Use of Technology

A.
Business strategy

IT can revolutionize the manufacturing industry and transform business operations. Utilizing technology plays a critical role in trade and economic growth and can aid MTC in boosting its business progress through new contracts and partnerships (UMGC, 2023). The usage of IT also broadens MTC’s reach because it is no longer constrained by geographical region. By utilizing IT, MTC can assemble a group of international consultants that can help American onsite teams via remote study and evaluation. This can be one of the company’s strategies. Additionally, IT enables more efficient identification of potential business partners in other countries or continents.

B.
Competitive advantage

The Manufacturing Technology Corporation (MTC) operates in a highly competitive market, facing competition from both large-scale IT consulting organizations and smaller companies with specialized skill sets, as well as small to mid-sized businesses. MTC is concentrating on its hiring method to draw top IT experts with in-depth knowledge of cutting-edge technology and an inventive strategy for problem-solving for customers in order to acquire a competitive advantage (Amadeo & Rasure, 2022). The organization is aware that many applicants utilize online forms and anticipate a simple and quick application procedure in the current digital era. MTC has implemented an integrated hiring and retention strategy to fulfill this expectation, including a new IT solution. The candidate monitoring and hiring procedure is improved overall by this technology, which monitors the process more effectively than the manual method. The system also has a tool for managing business activities, simplifying management (David & David, 2016). The recruiting and recruitment procedures are streamlined by a piece of software called the applicant tracking system. Online processing allows the monitoring system to manage business operations and gather data, giving MTC a competitive edge over its main competitors.

C.
Strategic Objectives

MTC intends to compete with more prominent companies for new IT Consulting projects by offering highly qualified IT consultants. MTC will be likely to do this in order to boost its effectiveness.

Strategic Goal

Objective

Explanation

Increase MTC business development by winning new contracts in the areas of IT
consulting.

Look into prospective business opportunities. Think about taking on one contract as the prime contractor and collaborating with at least two big firms as a subcontractor.

This statement suggests that the person or company should research different business opportunities and consider taking on a contract as the primary contractor while working with two other larger companies as subcontractors. This could involve partnering with larger companies to bid on and complete a project, with the primary contractor taking on the lead role and the subcontractors providing additional resources and expertise. This strategy could potentially help the primary contractor gain experience and credibility in the industry while also leveraging the resources and reputation of the larger firms.

Build a cadre of consultants internationally to provide remote research and analysis
support to MTC’s onsite teams in the U. S.

Over the next twelve months, increase overseas hiring and bring on six research analysts.

Online applications will be accepted from candidates worldwide, resulting in a spike in the number of international applicants. As a result, hiring managers would have the chance to track candidates’ progress for these roles, identify key research competencies, and evaluate resumes in light of those competencies. By looking at the applicant pool, recruitment agencies can quickly assess how many candidates are required to fulfill a goal.

Continue to increase MTC’s ability to provide high-quality consultants to quickly
awarded contracts to best serve the client’s needs.

Enlarge the hiring market. Over the next five months, five exceptionally talented talent acquisition specialists with at minimum five years of fast-paced experience in the industry should be employed.

To implement the new hiring strategy successfully, hiring qualified recruitment agencies used to demanding work settings is vital. They ought to know about hiring personnel after winning contracts.

Increase MTC’s competitive advantage in the IT consulting marketplace by increasing its
reputation for having IT consultants who are highly skilled in leading edge technologies and
innovative solutions for its clients.

Create a culture within your firm that will draw in and keep talent. Reward staff members every quarter and acknowledge their contributions. Make use of MTC’s advantages to expand your clientele and gain more market share.

Rewarding top achievers will result in happier, more productive workers and lower turnover rates. Customers will value and appreciate MTC’s qualities, resulting in new contracts and collaborations.

D.
Decision Making

Data tracking capabilities are among the most crucial features of information systems. The fact that an info system turns data into specific information is vital to comprehend. The ability to make decisions can be strengthened by using upgraded information just after data has been converted into knowledge.

Role

Level as defined in Course Content Reading

Example of Possible Decision Supported by Hiring System

Example of Information, the Hiring System, could provide to Support your Example Decision

Senior/Executive Managers (Decisions made by the CEO and the CFO at MTC supported by the hiring system)

Strategic level

Promote emerging markets that you are considering joining.

You should specify how many experts you will need because you will be working with a new arrangement.

Middle Managers (Decisions made by the Director of HR and the Manager of Recruiting supported by the hiring system)

Managerial level

There are various phases involved in allocating budgets and resources.

According to the contract terms, candidates might be chosen by hiring managers and the director of the headquarters office.

Operational Managers (Decisions made by the line managers in the organization who are hiring for their projects supported by the hiring system)

Operational level

Work at a different location with workers moving from one area to another.

All qualifications and certificates necessary for the new post will be confirmed through the system’s verification procedure.

References

Amadeo, K, and Rasure, E. (2022, January). US and World Economies, What is Competitive Advantage?

https://www.thebalance.com/what-is-competitive-advantage-3-strategies-that-work-3305828

UMGC (2023). Business Strategy. Retrieved from

https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/business-strategy.html?wcmmode=disabled

David, F., & David, F. R. (2016). Strategic management: A competitive advantage approach, concepts, and cases. Pearson–Prentice Hall. Retrieved from

https://gibsoncollege.edu.et/wp-content/uploads/2022/01/Strategic-Management-Concepts-and-Cases-15th-Ed.-by-Fred-R.-David-and-Forest-R.-David

Stage 3: Requirements-3 pages

Before you begin work on this assignment, be sure you have read the Case Study and reviewed the feedback received on your Stage 1 and 2 assignments.

Overview

As the business analyst in the CIO’s department of Maryland Technology Consulting (MTC), your next task in developing your Business Analysis and System Recommendation (BA&SR) Report is to develop a set of requirements for the hiring system.

Assignment – BA&SR Section III. Requirements

The first step is to review any feedback from previous stages to help improve the effectiveness of your overall report and then add the new section to your report. Only content for Stage 3 will be graded for this submission. Part of the grading criteria for Stage 4 includes evaluating if the document is a very effective and cohesive assemblage of the four sections, is well formatted and flows smoothly from one section to the next. For this assignment, you will
add Section III of the Business Analysis and System Recommendation (BA&SR) Report to your Sections I and II. In this section you will identify requirements for the new hiring system. This analysis leads into Section IV. System Recommendation of the BA&SR (Stage 4 assignment) that will analyze a proposed IT solution to ensure it meets MTC’s organizational strategy and fulfills its operational needs.

Using the case study, assignment instructions, Content readings, and external research, develop your Section III. Requirements. The case study tells you that the executives and employees at Maryland Technology Consultants (MTC) have identified a need for an effective and efficient applicant tracking or hiring system.
As you review the case study, use the assignment instructions to take notes to assist in your analysis. In particular, look for information in the interviews to provide stakeholder interests and needs.

Use the outline format, headings and tables provided and follow all formatting instructions below.

III.
Requirements

A.
Stakeholder Interests – Review the interest or objectives for the new hiring system for each stakeholder listed below based on his or her organizational role and case study information. Consider how the technology will improve how his/her job is done; that is, identify what each of the stakeholders needs the hiring system to do. Then to complete the table below, use information from the stakeholder interviews and identify one significant challenge or problem for each stakeholder related to the current hiring process
(not their future expectations). Then explain how a system could address their problems. Do
not define what that position does in the organization. (Provide an introductory sentence for this section, copy the table below and complete the two columns with
1-2 complete sentences for each role in each column.)

B. Defining Requirements – The next step is to identify the
essential requirements for the information system. In addition to the stakeholder interests identified above, review the Case Study, especially the interviews, highlighting any statements that tell what the person expects or needs the system to do.
User requirements express specifically
what the user needs the system to do
. This can be in terms of
tasks the users need to perform, data they need to input, what the system might do with that data input, and output required.

System performance requirements express
how the system will perform in several performance areas and security
. As a member of the CIO’s organization, you will use your professional knowledge to Identify 5 User Requirements (including one specifically related to reporting) and 5 System Performance Requirements (including 2 security-related requirements).
Refer to Week 5 content on requirements;
security requirements are covered in Week 6. Additional research can expand your knowledge of these areas.

Once you have identified the 10 requirements, evaluate each one using the criteria below and create 10 well-written requirements statements for the new hiring system.

The requirement statement:

· Is a complete sentence, with a subject (system) and predicate (intended result, action or condition).

· Identifies only one requirement; does not include the words “and,” “also,” “with,” and “or.”

· For User Requirements, states

what
tasks the system will support or perform.

· For System Performance Requirements, states

how
the system will perform.

· Includes a measure or metric that can be used to determine whether the requirement is met (time or quantity), where appropriate.

· Is stated in positive terms and uses “must” (not “shall,” “may” or “should”); “the system must xxxx”
not “the system must not xxx”.

· Avoids the use of terms that cannot be defined and measured, such as “approximately,” “robust,” “user friendly,” etc.

· Is achievable and realistic; avoids terms such as “100% uptime,” or “no failures”.

For a full requirements document, there will be many requirement statements; you only need to provide the number of requirements identified for each category. Do not provide generic statements but relate to the needs of MTC to improve its hiring process.

(Provide an introductory sentence, copy the table, and complete the Requirements Statement and Stakeholder columns. No additional information should be entered into the first column, Requirement ID.)

EXAMPLE

(Security-
replace this with a specific security requirement)

Formatting Your Assignment

Consider your audience – you are writing in the role of an MTC business analyst and your audience is MTC and your boss, the CIO. Don’t discuss MTC as if the reader has no knowledge of the organization. Use third person consistently throughout the report. In third person, the writer avoids the pronouns I, we, my, and ours. The third person is used to make the writing more objective by taking the individual, the “self,” out of the writing. This method is very helpful for effective business writing, a form in which facts, not opinion, drive the tone of the text. Writing in the third person allows the writer to come across as unbiased and thus more informed.

· In Stage 3, you are preparing the third part of a 4-stage report. Use the structure, headings, and outline format provided here for your report. Use the numbering/lettering in the assignment instructions as shown below.

III. Requirements

A. Stakeholder Interests

B. Defining Requirements

· Begin with Sections I and II, considering any feedback received, and add to it Section III.

· Write a short concise paper: Use the recommendations provided in each area for
length of response. It’s important to value
quality over quantity. Section III should not exceed 3 pages.

· Content areas should be
double spaced; table entries should be
single-spaced.

· To

copy a table
: Move your cursor to the table, then click on the small box that appears at the upper left corner of the table to highlight the table; right click and COPY the table; put the cursor in your paper where you want the table and right click and PASTE the table.

· Ensure that each of the
tables is preceded by an
introductory sentence that explains what is contained in the table, so the reader understands
why the table has been included.

· Continue to use the
title page created in Stage 1 that includes: The title of report, company name, your name, Course and Section Number, and date of
this submission.

·

Use
at least two
resources with
APA formatted citation and reference for this Stage 3 assignment. Use at least one external reference and one from the course content. Course content should be from the class reading content, not the assignment instructions or case study itself. For information on APA format, refer to Content>Course Resources>Writing Resources.

· Add the references required for this assignment to the
Reference Page. Additional research in the next stage will be added to this as you build the report. The final document should contain all references from all stages appropriately formatted and alphabetized.

· Running headers are not required for this report.

· Compare your work to the
Grading Rubric below to be sure you have met content and quality criteria.

· Submit your paper as a
Word document, or a document that can be read in Word. Keep tables in Word format – do not paste in graphics.

· Your submission should include

your last name first in the filename:

Lastname_firstname_Stage_3

GRADING RUBRIC:

Criteria

Far Above Standards

Above Standards

Meets Standards

Below Standards

Well Below Standards

Possible Points

Stakeholder Interests

Identification of specific stakeholder problems (interests and objectives for improving the hiring process) and how a technology system could address.

Generally, 0-3 points per role. Both quantity and quality evaluated.

38.4 Points

35.2-38.4 Points

Problems and how a technology solution will address are correctly and clearly described and fully explained using a sophisticated level of writing.

32.64 points

32-33.6 Points

Problems and how a technology solution will address are clearly described and explained using an effective level of writing.

28.8 points

27.2-30.4 Points

Problems and how a technology solution will address are described and explained.

23.808 points

22.4-25.6 Points

Problems and how a technology solution will address are not clearly described and explained; and/or lacks effective presentation of information

0 points
0-20.8 Points
Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section.

38.4

User

Requirements

5 user requirements (1 addresses reporting)

Generally, 0-5 points each. Both quantity and quality evaluated.

40 points

36.8-40 Points

Correctly identified, written and sourced; clearly derived from the Case Study; demonstrates sophisticated analysis.

33.6 points
32-35.2 Points
Identified, written and sourced correctly; requirements are derived from the Case Study; demonstrates effective analysis.

28.8 points

27.2-31.7 Points

Identified and sourced; requirements are related to the Case Study.

25.6 points

24-25.6 Points

Fewer than 5 requirements are identified and sourced; and/or information provided is not correct; and/or requirements are not all related to the Case Study.

0 points

0-22.4 Points

Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section.

40

Performance Requirements

3 performance requirements and 2 system security requirements

Generally, 0-5 points each
. Both quantity and quality evaluated.

40 points

36.8-40 Points

Correctly identified, written and sourced; clearly derived from the Case Study; demonstrates sophisticated analysis.

33.6 points
32-35.2 Points
Identified, written and sourced correctly; requirements are derived from the Case Study; demonstrates effective analysis.

28.8 points

27.2-31.7 Points

Identified and sourced; requirements are related to the Case Study.

25.6 points

24-25.6 Points

Fewer than 5 requirements are identified and sourced; and/or information provided is not correct; and/or requirements are not all related to the Case Study.

0 points

0-22.4 Points

Content missing or extremely incomplete, did not reflect the assignment instructions, showed little or no originality, demonstrated little effort, is not supported with information from the Case Study; and/or is not original work for this class section
.

40

Research

Two or more sources–one source from within the IFSM 300 course content and one external (other than the course materials)

16 points

14.4-16 Points

Required resources are incorporated and used effectively. Sources used are relevant and timely and contribute strongly to the analysis. References are appropriately incorporated and cited using APA style.

13.6 points

13.6 Points

At least two sources are incorporated and are relevant and somewhat support the analysis. References are appropriately incorporated and cited using APA style.

12 points

12 Points

Only one resource is used and properly incorporated and/or reference(s) lack correct APA style.

10.4 points

10.4 Points

A source may be used, but is not properly incorporated or used, and/or is not effective or appropriate; and/or does not follow APA style for references and citations.

0 points

0-8 Points

No course content or external research incorporated; or reference listed is not cited within the text.

16

Format

Uses outline format provided; includes Title Page and Reference Page

25.6 points

22.4-25.6 Points

Very well organized and easy to read. Very few or no errors in sentence structure, grammar, and spelling; double-spaced, written in third person and presented in a professional format.

20.736 points

19.2-10.8 Points

Effective organization; has few errors in sentence structure, grammar, and spelling; double-spaced, written in third person and presented in a professional format.

17.664 points

17.6 Points

Some organization; may have some errors in sentence structure, grammar and spelling. Report is double spaced and written in third person.

15.872 points

16 Points

Not well organized, and/or contains several grammar and/or spelling errors; and/or is not double-spaced and written in third person.

0 points

0-14.4 Points

Extremely poorly written, has many grammar and/or spelling errors, or does not convey the information.

25.6

TOTAL Points Possible

160

Stage II: Process Analysis

Maryland Technology Consultants (MTC)

IFSM 300 Information Systems in Organizations

02/07/2023

II. Process Analysis

A.
Hiring Process

Maryland Technology Consultants (MTC) wants to develop and become a leading provider of IT consulting services with an objective to electronically replace the manual hiring procedure now in place. The table below will describe the present procedure, make some suggestions, and explain to MTC the necessity for a new approach.

Recruiter

Recruiter

Hiring Manager

Administrative Assistant

Administrative Assistant

Administrative Assistant

Administrative Assistant

n/a

Administrative Assistant

B.
Expected Improvements

MTC must urgently modernize its employment procedure as they are not helped by the manual approach, which takes additional effort and time. MTC intends to expand by 7% annually over the following five years. MTC will be able to accomplish its objective by utilizing technology to develop a smooth hiring procedure.

References

Analyzing Process Improvements Supported by IT.

https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/analyzing-processimprovementssupportedbyit.html?wcmmode=disabled

Business Enterprise Mapping. (2021, June 10). Six process improvement strategies that work – BEM.

https://www.businessmapping.com/blog/process-improvement-strategies/

UMGC. (2019). Maryland Technology Consultants, Inc. case study. IFSM 300 Case Study

Requirements

What Are Requirements?

For purposes of this class, we will focus on what the end user needs or

expects the system to do. These needs and expectations are documented

as requirements for the system. They fall into two general categories:

user requirements (sometimes referred to as functional requirements) and

system performance requirements (sometimes referred to non‐functional

requirements).

1. User Requirements describe the tasks the user needs the system to

perform, such as:

• What data the system is expected to collect.

• What the system is expected to do with the data that is input.

• What the system is expected to provide as output (reports, results,

etc.).

Some example user requirements for an online shopping site might be:

• The system must calculate the total of all items in the online or

website shopping cart.

• The system must display to the user similar items that the online

shopper may be interested in.

Learning Resource

Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

1 of 5 2/7/2023, 5:35 PM

https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/requirements.html?wcmmode=disabled

• The system must require the user to provide a shipping address.

• The system must automatically fill in the State portion of the

shipping address based on the zip code entered by the user.

• The system must provide the user with a report of all purchases

made via the website.

2. System Performance Requirements are sometimes referred to

as system quality attributes, since they define how the system is

designed, how it will perform when used, and what the user experience

will be (Microsoft, 2009).

They describe how the system will perform, or its quality, in areas such as:

• Usability—The ability for new users to quickly adapt to the software,

including how easy the system is to use and how help is provided for

the users

• Scalability—The ability of the system to accommodate additional

users and/or additional records/transactions

• Availability—The amount or periods of time the system is to be

operational and useable

• Reliability—The ability of the system to create and maintain the data

correctly

• Maintainability—The ability of the system to be easily maintained,

corrected and updated

• Performance—The ability of the system to meet time or volume

requirements (respond to user inquiry, update a database, or handle

the workload)

• Portability—The ability of the system to run/operate on a variety of

end‐user devices or with multiple operating systems

• Interoperability—The ability of the system to interact with other

existing or legacy systems

Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

2 of 5 2/7/2023, 5:35 PM

System performance requirements also describe security requirements for

the system and data, such as:

• Protection of the system from malicious or accidental actions

• Protection of data as it is transmitted and when it is stored

• User authentication; prevention of unauthorized access

• Authorization of users to perform specific functions; prevention of

unauthorized changes to data

• Data backup and recovery

Some examples of system performance requirements are:

• The system must encrypt the user’s payment information when it is

transmitted.

• The system must require a retinal scan for login purposes.

• The system must be capable of handling 5,000,000 transactions per

hour.

• The system must operate using Motorola handheld scanners.

• The system must be able to accept financial data directly from the

company’s financial system.

To differentiate between user and system performance requirements, the

business analyst determines whether each requirement describes a task

that the system must perform (user requirement) or describes system

quality or security (system performance requirement).

How Are the Requirements Used?

Requirements can be used to develop a system from scratch, in which

case many detailed requirements for every step of every process need to

be clearly laid out. For example, if an accounting system is to be

Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

3 of 5 2/7/2023, 5:35 PM

developed, the developers will need to incorporate all the financial and

legal aspects of the process. They will need to know exactly how each

accounting function is to be performed in order to program the system to

carry out the function.

However, if the intent is to acquire a commercial off‐the‐shelf (COTS)

accounting system or to use a software‐as‐a‐service (SaaS) system, then

the requirements may be stated at a much higher level, such as: “the

system must implement the Generally Accepted Accounting Principles

(GAAP)” or “the system must produce a monthly expense statement.” In

these cases, the end user is not so concerned about each step in

performing those functions, as long as the system provides them.

Once the requirements are listed, they can be used to:

• Develop a system and test it to be sure it meets the

requirements

• Identify one or more COTS or SaaS systems that appear to meet the

requirements

• Test the COTS or SaaS systems to determine which one meets the

most requirements and select one for use

• Identify requirements that are not met that may need be added to

the system or may require a separate or additional system(s) or

processes to be implemented

According to Mitre (2018) requirements “can be tested, verified, and/or

validated, and are unique, complete, unambiguous, consistent, and

obtainable, and [can be traced] to original business and mission needs.”

Documented requirements can be traced through an entire system

development and implementation process. For example:

• They form the need for a system and define its scope (all the

functions that are to be included).

• They form the basis for estimating the time and cost of developing or

Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

4 of 5 2/7/2023, 5:35 PM

acquiring the system.

• They are used to develop the system.

• They are used to negotiate any requirements changes that are

proposed by helping to determine how significant the change is.

• They are used to develop test cases to test the system to see if it

functions as needed.

• They are used when modifications or enhancements are proposed to

ensure that the new change does not unintentionally replace

previous functionality, and that the new requirement fits within the

scope of the system’s overall functionality.

• They are used to test a modified system to ensure all previous

functions, as well as the new functions, perform as needed.

References

Microsoft. (2009). Microsoft application architecture guide, 2009.

Retrieved from https://docs.microsoft.com/en‐us/previous‐versions/msp‐

n‐p/ee658094(v=pandp.10)

Mitre. (2018). Systems Engineering Guide—Analyzing and Defining

Requirements. Retrieved from https://www.mitre.org/publications

/systems‐engineering‐guide/se‐lifecycle‐building‐blocks/requirements‐

engineering/analyzing‐and‐defining‐requirements

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the

validity or integrity of information located at external sites.

Requirements https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

5 of 5 2/7/2023, 5:35 PM

Developing Requirements for an IT
System

Where Do the Requirements Come From?

Let’s assume that someone in the organization identifies one or more

problems with the way a process is working. Whether the current process

is supported by an IT system or not, the analyst might ask people with

different roles in the process two questions:

• What problems are you having in performing the task today?

• How do you see an IT system helping to improve things?

These questions should elicit a variety of responses from multiple

perspectives. The executives might answer with how the organizational

strategies and objectives could be better supported with an IT

system.

Managers may answer the questions with how an IT system would help

them manage the people and processes better. Front‐line employees will

likely focus on their tasks and which steps could be done more easily and

quickly if they had a system. The analyst will use information gathered

during the process analysis phase to help stakeholders identify and clarify

what the system needs to do for them.

If there is organizational agreement that a new system is probably

needed, then a determination should be made as to whether a system will

Learning Resource

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

1 of 9 2/7/2023, 5:35 PM

https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/developing-requirementsforanitsystem.html?
wcmmode=disabled

need to be developed or if a pre‐built commercial off‐the‐shelf (COTS)

solution might work. This would include answering the following types of

questions:

• For what major functions or tasks is the user seeking an IT solution?

• Is there any part of that task that is likely to be unique to this

organization?

• Would it be possible to find a COTS solution, since those are already

created, are ready to be used, and are often much less costly to

implement?

If the organization does not employ any significantly unique functions to

accomplish a standard business process, then it is likely that a COTS

solution exists that could meet the needs. The determination of whether

a system is to be built or bought drives the level of detail needed in the

requirements. Many more requirements with much more detail are

needed for building a system than for buying one.

Regardless of whether a system is to be built or bought, the next step is

to identify the high level user requirements (or “functional”

requirements). This is done by interviewing the expected users of the

system. Users very often know some of what they need the system to do,

but are unable to list all the functions they need. One way the analyst

elicits the requirements is by asking a variety of users at different levels

of the organization and with different responsibilities how the processes

are currently being done and what it is that the current system or process

does or does not do efficiently. The manager’s perspective and needs are

quite different from the front‐line employee trying to perform specific

tasks, and the executive’s perspectives and needs are unique to that level

of the organization. After a series of interviews, the analyst can

categorize and document the requirements that are emerging. Some of

these will likely be at a very high level (e.g., “I need annual financial

reports”) to very low‐level detailed items (e.g., “the zip code must include

all 9 digits”). For an accounting system, the high‐level requirements might

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

2 of 9 2/7/2023, 5:35 PM

include “the system must implement the Generally Accepted Accounting

Principles (GAAP)” or “the system must produce a monthly expense

statement,” along with many other functions identified by the users. One

of the biggest challenges for the analyst is to differentiate between a

“must have” (essential) requirement and a “nice to have” feature. When

requirements are collected and documented they are often put into these

two categories. The analyst asks the end user to determine whether each

requirement is a “must have” or a “nice to have” item, and documents

accordingly.

Some users may identify requirements that they believe the system must

perform, but that the analyst does not believe should be part of the

specification for the system in question. At this point in the process, all of

the requirements identified by any of the participants should be listed.

Eventually, the full list of requirements will be reviewed, modified as

necessary and approved by the system “owner” and major stakeholders.

During that part of the process, final determinations will be made about

which requirements are essential, which are “nice to have,” and which

should be eliminated. The list of essential requirements will be used to

identify whether there are COTS products available that should be

considered; “nice to have” requirements will be used to compare solutions

that meet the essential requirements. In a system development

environment, the essential requirements will be used to determine the

scope of the project. It is often easier and less costly to include “nice to

have” items in systems being developed in‐house, but the overall cost of

developing and maintaining IT systems must be considered in making that

decision. In the systems development life cycle (SDLC) analysis phase, the

project sponsor signs off on the requirements document. In later SDLC

phases, the requirements are used to design, develop, and test the

system.

A separate set of system performance (system quality and security)

requirements comes from the combination of end user needs as well as

technical specifications developed by the IT department. The answers,

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

3 of 9 2/7/2023, 5:35 PM

again, are elicited via interviews with expected system users and

managers. Below are example questions that the analyst might ask to

develop system performance requirements in each of the system quality

and security categories:

• Usability—Do you want the system user to have access to an online

help manual? Do you want the user to be able to access context‐

specific help while entering each data field on the screen?

• Scalability—How many users and how many records/transactions do

you need the system to be able to accommodate? How much might

those increase over time?

• Availability—Are there any time blocks where access to the system is

not needed (e.g., no one would use the system between midnight to

4 a.m. daily)?

• Reliability—Can you provide examples of tasks where the system

needs to create and maintain accurate/correct data?

• Maintainability—Are system security updates applied within 24

hours? (While end users are affected by the maintainability of the

system, it is usually up to the IT department to determine whether

the process used accommodates changes as needed and whether

updates are made in a timely manner.)

• Portability—What devices do you want the users of the system to be

able to use? Is it likely that they would use a smartphone, tablet,

etc., to either query or use the system?

• Interoperability—Are there any systems with which the new system

will need to directly exchange data?

• Security—This is another area where users are affected, but need

assistance from technical specialists to determine the requirements.

The analyst might ask: How sensitive is the data? Are there any

regulations concerning protecting the type of data in this system

(personally identifiable information, health care or other data

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

4 of 9 2/7/2023, 5:35 PM

protected by law, etc.)? Do you want users to be restricted as to

what they can do with the system or what data they can access?

Should this be based on their role in the organization? How often

does the data change? How long could you continue to operate if the

system were unavailable?

The User’s Role—Identifying Requirements

As discussed above, it is the responsibility of the system users to identify

the need for a solution to a problem or to identify processes that could be

improved and performed more effectively or efficiently. The user is

familiar with the business process to be accomplished and with how it is

currently performed, and can identify any issues that exist. Previous work

completed on process analysis is an important precursor to defining

requirements. It is not unusual for the business person to look around and

find potential IT solutions to their problems, and some want to jump

immediately into acquiring a specific solution. However, without a set of

requirements that has been approved by the organization, a solution that

fits one set of problems may not fit the needs of other users of the

system.

The Analyst’s Role—Documenting
Requirements

One of the business analyst’s biggest challenges is to get the users to

identify their requirements rather than focus on a specific solution. The

analyst conducts interviews and observes the process as it exists and

documents the process. Using the process analysis work done previously

and by asking the types of questions discussed above, the analyst gathers

the requirements for the new or updated IT system and begins to

document them.

How Are Requirements Statements Written?

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

5 of 9 2/7/2023, 5:35 PM

There are a number of “rules” for writing requirements statements. These

rules help to ensure that the requirements can be clearly understood and

that it is possible to determine whether or not the new system meets

each of the requirements. Poorly written requirements lead to

misunderstanding and misinterpretation and can lead to a system that

does not do what the users need it to do.

The analyst uses the list of requirements that the users identified and

rewrites each requirement to meet the criteria listed below.

Each requirement statement:

• Either describes a task that the user needs the system to

perform, or states a system performance expectation.

• Identifies only one requirement; avoids the words “and,” “also,”

“with,” and “or.”

• Is a complete sentence, with a subject (usually “the system”) and

predicate (intended result, action or condition).

• Uses “must” (not “may” or “should” or “will” or “shall”); written as

“The system must….”

• Is generally stated in positive terms (i.e., “the system must xxxx” vs.

“the system must not xxx”); however, there are times when “must

not” is the more appropriate way to express the

requirement.

• Is measurable; includes a measure or metric that can be used to

determine whether the requirement is met (e.g., time or quantity),

where appropriate; avoids the use of terms that cannot be defined

and measured, such as “approximately,” “robust,” “user friendly,” etc.

• Is achievable and realistic; avoids terms such as “100% uptime,” or

“no failures.”

• Is complete; it can stand alone and be understood.

• Must be testable; that is, there must be some way to test the system

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

6 of 9 2/7/2023, 5:35 PM

to determine whether the requirement is met.

Below are some examples of poorly written and well‐written

requirements, with explanations of what is wrong with the poorly written

requirements statements.

Poorly Written
Requirement What Is Wrong

Well‐Written
Requirement

Users must have access

to their personal data,

which will be

transmitted in a secure

manner.

Two requirements (in

this case, one user and

one system

performance) are

expressed; each

statement should

express only one

requirement.

1.

The system must

provide a user

with access to

their personal

data.

2. The system must

transmit personal

data in a secure

manner.

The system must

calculate the total of all

items in the online or

website shopping cart

and display the total to

the user.

Two requirements are

expressed; each

statement should

express only one

requirement.

1. The system must

calculate the total

of

all items in the

online or website

shopping cart.

2. The system must

display the total of

all items in the

online or website

shopping cart to

the user.

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

7 of 9 2/7/2023, 5:35 PM

Poorly Written
Requirement What Is Wrong

Well‐Written
Requirement

Report must be

provided within 5

seconds of the user

clicking on

“submit.”

Not a complete

sentence; and should be

stated as “The system

must…”

The system must

provide the report

within 5 seconds of the

user clicking on

“submit.”

The system should

require the user to

provide a shipping

address.

Avoid the use of

“should”; use “must.”

The system must require

the user to provide a

shipping address.

The system must be

easy to use.

“Easy to use” is not

measurable or testable.

The system must

provide on‐screen

prompts to guide the

user through the correct

steps to place an order.

The Requirements Document

Once the requirements statements are written correctly, they should be

grouped into categories. The first categorization is whether a

requirement is essential or nice to have. As stated above, this is done by

asking the individual who identified it as a requirement, rather than using

the analyst’s judgment. Then, the requirements are grouped by the

function or process involved so that the user community can understand

them. Using the accounting system example, the requirements might be

grouped under headings like: accounts receivable, accounts payable,

payroll processing, financial reports, etc. Arranging the requirements in a

sequence that follows the steps in a task is also helpful. For example, in

establishing a receivable account, there are specific steps taken; if the

requirements are listed in the order that is generally used, it allows the

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

8 of 9 2/7/2023, 5:35 PM

end user to ascertain whether the list of requirements is complete and

accurate. Each requirement statement will be assigned a unique identifier

so that it can be referred to with ease and clarity. A full requirements

document or “requirements specification” may contain many hundreds, or

even thousands, of requirements. Again, more detailed requirements are

needed for systems being built in‐house or under contract. In the case of

selecting a COTS product, only the higher level essential user

requirements and the system performance requirements need to be

developed. Otherwise, if too many specifics are identified, it may be

impossible to find a COTS solution.

If all this documentation of requirements seems like it is very time‐

consuming, it is! Identifying and documenting the requirements is the

basis upon which all further system decisions will be made, so it is a

valuable investment of time and human resources. The later in the

process that requirements changes are introduced, the more costly they

become to implement. In developing a system, it would require the

developers to go back and re‐do portions of the system and re‐test all the

possible outcomes; and, depending on the severity and impact of the

change, it may prove to be extremely costly. For COTS solutions, a

significant change to one or more essential requirements may impact

which systems should even be considered. The upfront investment in

defining the requirements helps prevent downstream costs and delays.

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the

validity or integrity of information located at external sites.

Developing Requirements for an IT System https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

9 of 9 2/7/2023, 5:35 PM

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 1

Maryland Technology Consultants, Inc.

Maryland Technology Consultants (MTC) is a successful Information Technology consulting firm
that utilizes proven IT and management methodologies to achieve measurable results for its

customers. Its customer base includes small to mid-tier businesses, non-profit organizations
and governmental agencies at the local, state and federal levels. MTC feels strongly that its
success is dependent on the combination of the talent of its IT consultants in the areas of,

Business Process Consulting, IT Consulting and IT Outsourcing Consulting and their ability to

deliver truly extraordinary results to their clients.

Corporate Profile

Corporate Name: Maryland Technology Consultants, Inc.

Founded: May 2008

Headquarters: Baltimore, Maryland

Satellite Locations: Herndon, Virginia; Bethesda, Maryland

Number of Employees: 450
Total Annual Gross Revenue: $95,000,000

President and

Chief Executive Officer (CEO): Samuel Johnson

Business Areas

MTC provides consulting services in the following areas:

• Business Process Consulting – Business process redesign, process improvement, and best

practices
• IT Consulting – IT strategy, analysis, planning, system development, implementation, and

network support
• IT Outsourcing Consulting – Requirements analysis; vendor evaluation, due diligence,

selection and performance management; Service Level Agreements

Business Strategy

MTC’s business strategy is to provide extraordinary consulting services and recommendations

to its customers by employing highly skilled consultants and staying abreast of new business
concepts and technology and/or developing new business concepts and best practices of its

own.

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 2

Excerpt from the MTC Strategic Business Plan

While the complete strategic plan touches on many areas, below is an excerpt from MTC’s

latest Strategic Business Plan that identifies a few of MTC’s Goals.

Goal 1: Increase MTC Business Development by winning new contracts in the areas of IT

consulting.

Goal 2: Build a cadre of consultants internationally to provide remote research and analysis
support to MTC’s onsite teams in the U. S.

Goal 3: Continue to increase MTC’s ability to quickly provide high quality consultants to
awarded contracts to best serve the clients’ needs.

Goal 4: Increase MTC’s competitive advantage in the IT consulting marketplace by increasing its

reputation for having IT consultants who are highly skilled in leading edge technologies and
innovative solutions for its clients.

Current Business Environment

MTC provides consultants on-site to work with its clients, delivering a wide variety of IT-related

services. MTC obtains most of its business through competitively bidding on Requests for

Proposals issued by business, government and non-profit organizations. A small but growing

portion of its business is through referrals and follow-on contracts from satisfied clients. MTC

anticipates it will win two large contracts in the near future and is preparing proposals for

several other large projects.

MTC, as a consulting company, relies on the quality and expertise of its employees to provide

the services needed by the clients. When it is awarded a contract, the customer expects MTC

to quickly provide the consultants and begin work on the project. MTC, like other consulting

companies, cannot afford to carry a significant e number of employees that are not assigned to

contracts. Therefore, they need to determine the likelihood of winning a new contract and

ensure the appropriately skilled consultants are ready to go to work within 60 days of signing

the contract. MTC relies on its Human Resources (HR) Department to find, research, and assess

applicants so that line managers can review and select their top candidates and hire

appropriate consultants to meet their needs for current new contracts. It is very much a “just

in time” hiring situation.

The Headquarters in Baltimore, Maryland, houses approximately 350 employees. Satellite

offices have been opened in the last two years in both Herndon, Virginia and Bethesda,

Maryland to provide close proximity to existing clients. It is anticipated that new pending

contracts would add staff to all locations. The management team believes there is capacity at

all locations, as much of the consultants’ work is done on-site at the clients’ locations.

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 3

Strategic Direction

As a small to mid-size business (SMB), MTC recognizes that it needs to carefully plan its future

strategy. Considering the competitive environment that contains many very large IT consulting

firms, such as Hewlett-Packard (HP), Booz Allen Hamilton (BAH), and Science Applications

International Corporation (SAIC), as well as numerous smaller companies with various skill sets,

market niches, and established customer bases, MTC will be evaluating how best to position

itself for the future and recognizes that its ability to identify its core competencies, move with

agility and flexibility, and deliver consistent high quality service to its clients is critical for

continued success. MTC’s plan for growth includes growing by 7% per year over the next five

years. This would require an increase in consulting contract overall volume and an expanded

workforce. One area that is critical to a consulting company is the ability to have employees

who possess the necessary knowledge and skills to fulfill current and future contracts. Given

the intense competition in the IT consulting sector, MTC is planning to incorporate a few

consultants in other countries to provide remote research and analysis support to the on-site U.

S. teams. Since MTC has no experience in the global marketplace, the Director of HR has begun

examining international labor laws to determine where MTC should recruit and hire employees.

Challenges

Increased business creates a need to hire IT consultants more quickly. Overall, the Director of

HR is concerned that the current manual process of recruiting and hiring employees will not

allow his department to be responsive to the demands of future growth and increased hiring

requirements. There are currently two contracts that MTC expects to win very soon will require

the hiring of an additional 75 consultants very quickly. He is looking for a near-term solution

that will automate many of the manual hiring process steps and reduce the time it takes to hire

new staff. He is also looking for a solution that will allow MTC to hire employees located in

other countries around the world.

Management Direction

The management team has been discussing how to ramp up to fill the requirements of the two

new contracts and prepare the company to continue growing as additional contracts are

awarded in the future. The company has been steadily growing and thus far hiring of new

employees has been handled through a process that is largely manual. The HR Director

reported that his staff will be unable to handle the expanded hiring projections as well as

accommodate the hiring of the 75 new employees in the timeframe required. The Chief

Information Officer (CIO) then recommended that the company look for a commercial off-the-

shelf software product that can dramatically improve the hiring process and shorten the time it

takes to hire new employees. The Chief Financial Officer (CFO) wants to ensure that all

investments are in line with the corporate mission and will achieve the desired return on

investment. She will be looking for clear information that proposals have been well researched,

provide a needed capability for the organization, and can be cost-effectively implemented in a

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 4

relatively short period of time to reap the benefits. The CEO has asked HR to work with the CIO

to recommend a solution.

Your Task

As a business analyst assigned to HR, you have been assigned to conduct an analysis, develop a

set of system requirements, evaluate a proposed solution, and develop an implementation plan

for an IT solution (applicant tracking system hiring system) to improve the hiring process. You

have begun your analysis by conducting a series of interviews with key stakeholders to collect

information about the current hiring process and the requirements for a technology solution to

improve the hiring process. Based on your analysis and in coordination with key users you will

produce a Business Analysis and System Recommendation Report (BA&SR) as your final

deliverable.

Interviews

In the interviews you conducted with the organizational leaders, you hear the comments

recorded below.

CEO: Samuel Johnson

“While I trust my HR staff to address the nuts and bolts of the staffing processes, what is

critically important to me is that the right people can be in place to fulfill our current contracts

and additional talented staff can be quickly hired to address needs of future contracts that we

win. I can’t be out in the market soliciting new business if we can’t deliver on what we’re

selling. Our reputation is largely dependent on having knowledgeable and capable staff to

deliver the services our clients are paying for and expect from MTC.”

CFO: Evelyn Liu

“So glad we’re talking about this initiative. As CFO, obviously I’m focused on the bottom line. I

also recognize it’s necessary to invest in certain areas to ensure our viability moving forward. I

recognize that the current manual hiring process is inefficient and not cost-effective. Having

technology solutions that improve current process and enable future functionality is very

important to MTC’s success. We must consider the total cost of ownership of any technology

we adopt. MTC is run as a lean-and-mean organization and support processes must be effective

but not overbuilt. We do want to think towards the future and our strategic goals as well and

don’t want to invest in technology with a short shelf-life. Along those lines, we currently have a

timekeeping and payroll system that requires input from the hiring process to be entered to

establish new employees; and to help support our bottom line financially, any new solution

should effectively integrate with, but not replace, those systems.

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 5

CIO: Raj Patel

“As a member of the IT Department, you have a good understanding of our overall architecture

and strategy; however, let me emphasize a few things I want to be sure we keep in mind for this

project. Any solution needs to be compatible with our existing architecture and systems as

appropriate. Obviously, we have chosen not to maintain a large software development staff so

building a solution from the ground up does not fit our IT strategic plan. Our current strategy

has been to adopt Software as a Service (SaaS) solutions that can be deployed relatively quickly

and leverage industry best practices at a low total cost. In addition, our distributed workforce

means we are very dependent on mobile computing – this brings some challenges in term of

portability, maintenance, and solutions that present well on mobile devices. We’ve been

expanding at a rapid rate and are seeking to expand internationally so any solution will need to

be viable globally. And last, but certainly not least, MTC’s success is largely dependent on our

ability to satisfy the requirements of our clients and maintain a reputation of high credibility,

reliability and security. Any security breach of our applicants’ data could have a devastating

effect to our ability to compete for new business as well as maintain current clients. Any

technology solution adopted by MTC must contain clear security measures to control access and

protect data and allow us to use our current security for mobile links. I recognize that MTC can

no longer rely on a manual hiring process to meet these needs.”

Director of HR: Joseph Cummings

“Thanks for talking with me today. I see this effort as very important to the success of

MTC. While the recruiting staff has done an excellent job of hiring top IT consultants, the rapid

growth to date and future plans for expansion have pushed our recruiting staff, and we

recognize we can no longer meet the hiring and staffing demands with manual processes. I’m

also interested in solutions that are easy-to-use and can interface with our existing systems and

enhance processes. I’m willing to consider a basic system that can grow as MTC grows and

provide more capabilities in the future. I’m sure Sofia, our Manager of Recruiting, can provide

more specifics.”

Manager of Recruiting: Sofia Perez

“You don’t know how long I’ve been waiting to begin the process of finding a technology

solution to support our recruiting processes. In addition to myself, there are 2-3 full-time

recruiters who have been very busy keeping up with the increased hiring at MTC; and there are

no plans to increase the recruiting staff. It goes without saying that a consulting company is

dependent on having well-qualified employees to deliver to our customers. We’re in a

competitive market for IT talent and want to be able to recruit efficiently, process applicants

quickly, and move to making a job offer to the best candidate before the competition snaps

him/her up. When I talk with my colleagues in other companies, they mention applicant

tracking systems that have enabled them to reduce their hiring time by 15-20%. I’m so envious

of them and look forward to having our new solution in place before the next set of contracts

are won and we need to hire 75 (to as many as 150) staff in a 2-month period. I do not think my

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 6

team can handle such an increase in an efficient and effective manner. On-going growth at

MTC will continue to increase the demands to hire more consultants quickly. It really seems like

there would be a rapid return on investment in a technology solution to support and improve

the hiring process.”

Recruiters: Peter O’Neil (along with Mike Thomas and Jennifer Blackwell)

“This project should have happened 2 years ago but glad it’s finally getting some attention. As a

recruiter, I’m sort of the middleperson in this process. On one hand, we have the job applicant

who is anxious to know the status of his/her application and fit for the advertised position. It’s

important that the recruiters represent MTC well, as we want the best applicants to want to

come to work for us. Then we have the actual hiring manager in one of our business areas who

has issued the job requisition and wants to get the best applicant hired as quickly as possible.

Obviously recruiting is not the hiring manager’s full-time job, so we’re always competing for

time with other job responsibilities, so we can keep things moving as quickly as possible. They

provide us with job descriptions to meet the needs of clients and look to us to screen resumes

and only forward the best qualified applicants to them so they can quickly identify their top

candidates. Working with Tom, our administrative assistant, we need interviews to be

scheduled to accommodate everyone’s calendars. After the hiring managers make their final

selections of who they would like to hire, it is our task to get the job offers presented to the

candidates – hopefully for their acceptance. Everything is very time sensitive, and the current

process is not nearly as efficient as it could be. Applications and resumes can get lost in

interoffice mail or buried in email; and, when a hiring manager calls us, we often cannot

immediately provide the status of where an applicant is in the process. This can be very

frustrating all around. Speaking for myself and the other recruiters, I have high expectations for

this solution. We need to really be able to deliver world-class service to MTC in the recruiting

and hiring areas to meet the business goals.”

Administrative Assistant: Tom Arbuckle

“I support the recruiters in the hiring process. After the recruiters screen the resumes and select

the best candidates for a position, my job is to route those applications and resumes via

interoffice mail to the respective functional/hiring manager, receive his or her feedback on who

to interview and who should be involved in the interviews, schedule the interviews based on

availability of applicants and the interview team members, collect the feedback from the

interview team and inform the assigned recruiter of the status of each candidate who was

interviewed. In addition to preparing the job offer letter based on the recruiter’s direction, after

a job offer has been made and accepted, I coordinate the paperwork for the new hire with HR

and Payroll to ensure everything is ready to go on the first day. As you can imagine when hiring

volume is up, I’m buried in paperwork and trying to keep all the applicants and their resumes

straight, track their status in the process, and ensure everyone has what they need is very

challenging. I love my job, but want to ensure I can continue to keep on top of the increased

hiring demands and support the recruiting team effectively. Any tool that would help the

workflow and enable many steps in the process to be done electronically would be wonderful.”

Maryland Technology Consultants is a fictitious company created for the IFSM 300 Case Study.

MTC Case Study 11/23/2019 Ver. 1 7

Hiring Manager (in functional area; this person would be the supervisor of the new employee

and would likely issue the job requisition to fill a need in his/her department/team):

“While it’s a good problem to have – new business means new hires — the current method for

screening applications, scheduling interviews, identifying the best qualified applicants, and

getting a job offer to them is not working. My team is evaluated on the level of service we

provide our clients, and it is very important that we have well-qualified staff members to fulfill

our contracts. Turnover is common in the IT world and that along with new business

development, makes the need for hiring new staff critical and time-sensitive. I confess that

sometimes I’m not as responsive to HR as I should be; but although hiring new consultants for

the contracts I manage is important to successfully meet the clients’ needs, this is only one of

several areas for which I’m responsible. I look to the recruiters to stay on top of this for me. In

the ideal world, I’d like an electronic dashboard from which I can see the status of any job

openings in my area, information on all qualified candidates who have applied and where they

are in the pipeline. Electronic scheduling of interviews on my calendar would be a real time

saver. It’s important that we impress candidates with our technology and efficiency – after all

we are an IT consulting company—and using manual processes makes us look bad. And, this

system must be easy to use – I don’t have time for training or reading a 100-page user’s

manual. Just need to get my job done.”

Enterprise Systems

First, what do we mean by an enterprise system? This term refers to

systems that integrate data across an enterprise (organization) to support

the business processes related to a variety of business functions—from

basic functions like human and financial resource management to

managing the supply chain and customer relationships. The same system

is used by employees performing a specific function from anywhere in the

organization. Some business functions for which enterprise‐wide

solutions are often used include the following:

• Enterprise Resource Planning (ERP)

• Supply Chain Management (SCM)

• Customer Relationship Management (CRM)

• Enterprise Messaging Systems (to include email)

• Human Resources Management

• Financial Management

• Billing and Payment Processing

• Call Center and Customer Support

• Enterprise Content/Document Management

These functions can be done by one large‐scale, enterprise‐wide system

that integrates several major functions, or through linking (or integrating)

Learning Resource

Enterprise Systems

1 of 11 2/19/2023, 8:31 PM

Link: https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/enterprise-systems.html?wcmmode=disabled

individual systems through a type of middleware—usually referred to as

enterprise application integration (EAI). Generally, it is much more

effective to use a single integrated platform rather than multiple

applications that were not designed to work together.

Enterprise systems can be developed in‐house or acquired as a

commercial off‐the‐shelf (COTS) product. COTS products can be

purchased and implemented on internal servers or acquired as a

Software‐as‐a‐Service (SaaS) from a cloud service provider. To attract

more customers, the COTS/SaaS vendors implement features that all

their customers can benefit from, such as heightened security

protections, support for new industry standards and legislation, and

increased ability to separate system access and update by job function.

The focus in this section will be on COTS systems developed to manage

one or more business functions across the organization. The three most

common types of enterprise systems will be covered: Enterprise Resource

Planning (ERP), Supply Chain Management (SCM) and Customer

Relationship Management (CRM).

Enterprise Resource Planning (ERP) Systems

An ERP system is built to support an integrated approach to managing

some or all of the core processes involved in running a company: human

resources management, financial management, procurement, etc. ERP

systems were originally developed to handle these “back office”

functions. ERP is actually the business process of integrating the core

functions across an organization; the term by itself is not defined as a

“system,” although many people refer to an ERP systems as an “ERP.”

ERP software was developed to implement the ERP process; such

software integrates, standardizes and streamlines (or optimizes) the

business processes across departments. Users of the various functions of

ERP system are presented with common screens and system functions to

allow them to move easily between functional components, and to reduce

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

2 of 11 2/19/2023, 8:31 PM

training costs. Generally, the ERP system operates as a single system with

a common database employing common data definitions. Using one

database saves organizations from updating several systems with the

same data, and provides greater accuracy and collaboration between

departments. Transactions are processed against the database

immediately, and the updated information is available across the

organization immediately. This is in contrast to an organization using

multiple “stovepipe” systems with redundant (and often not synchronized)

data. For example, employee data (name, address, SSN, etc.) is stored

once and can be accessed for payroll, timekeeping, travel expense

reimbursement, facilities access, etc., and if the employee makes a

change, it is changed in one place for all to access.

In summary, the characteristics of an ERP include:

• enterprise‐wide integration,

• a common database,

• real‐time operation and processing of data and transactions, and

• consistent look and feel.

Business Benefits of ERPs

ERPs improve the efficiency and effectiveness of business operations by

providing:

• Integrated information that is consistent across the enterprise and

provides a “single truth” in areas such as

◦ Financial information—There is one set of financial figures that

everyone can use.

◦ HR information—Employees can enter updates directly into the

system, and their skills and experience can be viewed by

managers across the organization.

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

3 of 11 2/19/2023, 8:31 PM

◦ Order information—Orders affect inventory, accounting,

distribution, and manufacturing, all of which can be updated in

the single system when an order is placed.

◦ Customer information—The same customer information is

available to all departments.

• Best practices—The systems are designed to implement best

business practices for each of the functional areas and streamline the

steps in the process, reducing the time required to complete each

process.

• Standardized business processes—All users of the system perform

the function in the same way, and every process is supported by the

system with a similar look and feel for all users, regardless of their

department.

• Lower IT costs—The use of a single system for multiple functions

reduces total costs associated with acquiring, operating, and

maintaining multiple systems; however, if the ERP is significantly

modified to fit the organization, the cost advantage may disappear.

• Reduced training costs—Employees use a similar interface for all

major business functions.

• Consolidated procurements—The use of a single system for

purchasing products provides opportunities to consolidate similar

orders from various departments to receive volume discounts.

• Improved compliance—Time and effort are reduced in responding to

the wide variety of government reporting requirements, including

financial reporting, human resources and wage reporting,

environmental reporting, etc. Compliance is also enforced through

the standardized business processes implemented in the ERP.

ERPs lead to better decision‐making.

• Common data that is shared across the organization is used for

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

4 of 11 2/19/2023, 8:31 PM

analysis and decision‐making.

• Better data improves planning and reporting.

• ERPs promote collaboration across departments and levels of the

organization since all involved have the same version of the facts.

• ERPs support distributed decision‐making, as participants can act

locally in accordance with the guidance provided and the results of

their actions are available throughout the organization.

ERPs lead to increased organizational agility.

• The standardization and simplification of the business processes and

the use of a common system allows the organization to adapt quickly

when necessary.

ERPs provide enhanced security for corporate data.

• Data that is stored in one location can be better secured than data

that is stored in multiple locations, especially since corporate data

may be stored on hundreds of servers and personal computers

anywhere and its existence may even be unknown to the security

specialists.

• Vendors serving multiple customers can provide better and more

extensive security for systems and data than individual organizations

are able to provide.

Industry‐specific ERPs are designed to support the unique business

processes of the industry, such as those required by financial institutions,

service industries, government, health care, higher education, and

hospitality. The way that processes are carried out in each of those can

be quite different. ERPs are also designed specifically for small, small‐to‐

medium size, large, and very large international organizations. The size

and type of organization are taken into account when selecting an ERP.

Major Disadvantages of Implementing ERPs

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

5 of 11 2/19/2023, 8:31 PM

• The time it takes to implement them: Since ERPs are used

throughout the organization, many departments are affected and

much coordination is required. Further, since the ERP may be

replacing a myriad of systems implemented throughout the

organization (including on individual desktop PCs), it takes a

considerable amount of time to discover all those legacy systems and

determine if and how to incorporate the data into the new system.

• The cost of the system: There are initial purchase costs, which can be

quite high, and significant implementation costs to coordinate the

implementation across the enterprise. Depending on the amount of

customization needed, the ongoing maintenance costs can be very

high, since each new release from the vendor needs to be thoroughly

tested, and any modifications already made need to be applied to the

upgraded system.

• Change management is required before, during and after

implementation to align business practices with the way the system

works.

There have been some very well publicized ERP implementation failures,

and you may have witnessed one where you work(ed). Among the causes

of failure are:

• Selecting the wrong ERP. As mentioned above, ERPs are designed

for various sizes of organizations. Choosing an ERP with too many

features may overwhelm a small organization; conversely, not having

enough features to support a very large and diverse organization can

lead to failure. Although ERP systems were originally designed for

large organizations, there are now many products available for small

to mid‐sized businesses.

• Customizing the ERP. When organizations implement an ERP, their

business processes must be adapted to the way the system is

designed. If an enterprise determines that they will modify the

software to match their process, many issues are introduced. The

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

6 of 11 2/19/2023, 8:31 PM

time to implement and the costs go up significantly, as does the risk.

Future upgrades from the vendor may not function without

significant code changes due to the customization.

• Employee resistance. People resist change, but employee resistance

seems much more common with ERPs, where the changes are more

pervasive and obvious. The process changes that an ERP requires

may remove flexibility formerly enjoyed by the staff, who might

perceive a loss of autonomy and control.

• Lack of common data definitions. When an ERP is implemented,

data from multiple stovepipe systems must be migrated to the single

database. Most often those legacy systems each have their own

definitions and formats for the data – and the same data item stored

in different systems may be called by a different name and/or may be

formatted differently. Before the data can be loaded into the ERP, a

common set of definitions and formats is needed. For some

organizations, this is an insurmountable problem, and they end up

abandoning their ERP implementation.

ERP Summary

ERP systems have been extended in many organizations to include

seamless integration of supply chain management (SCM) and customer

relationship management (CRM) processes and data across the

organization. Linked with ERPs, SCM and CRM systems provide the end‐

to‐end visibility of a company’s information; the ERP provides the “glue”

to allow all the systems of an enterprise to work together to get the right

information to the right people at the right time.

By now two things should be clear:

1. Effective ERPs can provide great strategic advantage to an

organization and help break down the stovepipes of informa

tion

aligned to specific functions (like human resources, finance, etc.).

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

7 of 11 2/19/2023, 8:31 PM

2. ERPs require significant investment of time and money and can be

very expensive to effectively select and implement.

Supply Chain Management (SCM) Systems

If you think of the basic model of a business, it is: input/process/output.

Resources (human, financial or supply resources) come in, and then the

work of the company is to transform them some way into something that

customers want (process), and then provide it to the customers (output)—

the output could be to wholesalers, retailers, or individual customers. A

simplistic overview of the input/process/output supply business model is

provided in the table below:

Input/Process/Output Supply Business Model

Industry Input Process Output

Manufacturing Raw materials Combine raw

materials to

make a product

Product

Consulting Information;

human capital

(analysts)

Analysis Report

Restaurant Fresh or frozen

food

Cooking/Prepara

tion

Meals

SCM can be thought of as “the management of the chain of supplies.” It

encompasses the range of activities needed to plan, manage, and execute

the development of the product, from the acquisition of raw materials,

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

8 of 11 2/19/2023, 8:31 PM

through production and distribution, all the way to the final customer.

The objective is to do so in the most cost‐effective manner possible.

In the example of a simplified manufacturing supply chain, we might start

with several suppliers of raw materials—all the things needed to make the

product. Each of these items may come from a different supplier, in

different quantities, and on different schedules. All of the necessary items

need to be assembled at the manufacturing plant and then they are put

together to make the product. The product then is shipped to a

warehouse where it is stored. At the appropriate time, product is moved

from the warehouse to a retail store, where it is put on a shelf to be sold.

The supply chain does not stop there. After the product is sold, it may

need service, or the customer may wish to return it. Every one of these

steps have costs and complexity associated with them. Through SCM,

both management and employees can view what’s happening along the

supply chain to make better decisions. Each step in the supply chain

provides an opportunity to impact profitability, quality, etc.

In today’s world, it is impossible to have an effective supply chain without

the use of technology, including the right technology solution to

implement the business strategy. Companies compete on the basis of

who has the right product, in the right place, at the right time. Once

again, getting the right information to the right people at the right time is

critical to successful SCM, and that is exactly what good SCM systems do.

Businesses use SCM to plan, source, make, deliver, and return their

products. SCM helps them develop a plan for managing all the resources

needed; choose reliable suppliers; manufacture their products or services;

implement their logistics processes (receive and fulfill orders and receive

payment); and provide for returns, excess product, and customer support.

This is an iterative process that goes on continuously as companies

monitor, evaluate, and modify their supply chains. SCM is a clear example

of the relationship between people, information, business processes, and

information technology.

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

9 of 11 2/19/2023, 8:31 PM

Customer Relationship Management (CRM)
Systems

CRM, like ERP and SCM, is a business philosophy, not a technology,

although many people use the term to represent a system. CRM is based

on the idea that a strong competitive advantage can be achieved by

understanding customer needs. Companies that recognize that their

customers are not just generators of revenue but are valued assets are

moving quickly from a focus on their product to a focus on the customers.

As companies deal with customers around the world and expanding

competition, they find that adopting a CRM strategy is essential. It costs

much less to make a repeat sale to an existing customer than it costs to

make a sale to a new customer.

CRM helps organizations of all sizes, but the larger the company, the

more complex the problems become. Here’s where an information system

can provide immense value—allowing the company to capture

information, make it available to all functions that need to know

something about the customers, and provide superior customer service.

In addition, the availability of this data enables companies to analyze the

information to determine patterns and trends in customer habits, analyze

demographic profiles of customers to target marketing campaigns, and

identify ways to build customer loyalty. CRM systems can link customer

information from a variety of sources, including social media. While they

are designed for use by marketing, sales, and support organizations, the

information they contain can inform a wide variety of business decisions,

such as production levels, geographic distribution of their products,

markets for new products, etc.

ERP, SCM, or CRM System?

SCM and CRM systems bring similar advantages and disadvantages to

those discussed above for an ERP. Organizations determine which type

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

10 of 11 2/19/2023, 8:31 PM

of enterprise system is appropriate based on analysis of the requirements

of the organization, just as for any other system. If the organization

simply wishes to automate its “back office” functions, then an ERP

(focused on accounting or finance) may suffice. If the organization can

take advantage of an industry‐specific ERP to perform those functions in

a way that is uniquely suited to the industry, then that is the category of

ERP that should be researched. If the organization needs supply chain or

customer relationship management tools, and already has an ERP in place,

it might look for additional modules from the ERP vendor to perform

those functions. Such solutions should come with built‐in integration with

the ERP, which could greatly benefit the organization. If an SCM or a

CRM is needed and there is no ERP in place, the organization should

consider the totality of its requirements and determine whether a

combined capability is needed or a point solution (just SCM or CRM) is

what is needed. Certainly an SCM or a CRM can be implemented on its

own, but as the organization looks forward, it may wish to select such a

system that has the ability to be expanded to include other modules as

may be needed in the future. The selection should, therefore, be based on

a combination of what the needs are, what systems are already in place,

and what future needs should be considered.

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the

validity or integrity of information located at external sites.

Enterprise Systems https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

11 of 11 2/19/2023, 8:31 PM

Information Systems Security

Introduction

As computers and other digital devices have become essential to business

and commerce, they have also increasingly become a target for attacks. In

order for a company or an individual to use a computing device with

confidence, they must first be assured that the device is not compromised

in any way and that all communications will be secure. In this reading, we

will review the fundamental concepts of information systems security and

discuss some of the measures that can be taken to mitigate security

threats. We will begin with an overview focusing on how organizations

can stay secure. Several different measures that a company can take to

improve security will be discussed. We will then follow up by reviewing

security precautions that individuals can take in order to secure their

personal computing environment.

The Information Security Triad: Confidentiality,
Integrity, Availability (CIA)

Confidentiality

When protecting information, we want to be able to restrict access to

those who are allowed to see it; everyone else should be disallowed from

learning anything about its contents. This is the essence of

Learning Resource

Information Systems Security

1 of 20 2/19/2023, 8:30 PM

Link: https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learning-resourcelist/information-systemssecurity.html?
wcmmode=disabled#

confidentiality. For example, federal law requires that universities restrict

access to private student information. The university must be sure that

only those who are authorized have access to view the grade records.

The Information Security Triad

Integrity

Integrity is the assurance that the information being accessed has not

been altered and truly represents what is intended. Just as a person with

integrity means what he or she says and can be trusted to consistently

represent the truth, information integrity means information truly

represents its intended meaning. Information can lose its integrity

through malicious intent, such as when someone who is not authorized

makes a change to intentionally misrepresent something. An example of

this would be when a hacker is hired to go into the university’s system

and change a grade.

Integrity can also be lost unintentionally, such as when a computer power

surge corrupts a file or someone authorized to make a change

accidentally deletes a file or enters incorrect information.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

2 of 20 2/19/2023, 8:30 PM

Availability

Information availability is the third part of the CIA triad. Availability

means that information can be accessed and modified by anyone

authorized to do so in an appropriate time frame. Depending on the type

of information, appropriate time frame can mean different things. For

example, a stock trader needs information to be available immediately,

while a salesperson may be happy to get sales numbers for the day in a

report the next morning. Companies such as Amazon.com will require

their servers to be available 24 hours a day, 7 days a week. Other

companies may not suffer if their web servers are down for a few minutes

once in a while.

Tools for Information Security

In order to ensure the confidentiality, integrity, and availability of

information, organizations can choose from a variety of tools. Each of

these tools can be utilized as part of an overall information‐security

policy, which will be discussed in “Security Policies.”

Authentication

The most common way to identify someone is through their physical

appearance, but how do we identify someone sitting behind a computer

screen or at the ATM? Tools for authentication are used to ensure that

the person accessing the information is, indeed, who they present

themselves to be.

Authentication can be accomplished by identifying someone through one

or more of three factors: something they know, something they have, or

something they are. For example, the most common form of

authentication today is the user ID and password. In this case, the

authentication is done by confirming something that the user knows

(their ID and password). But this form of authentication is easy to

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

3 of 20 2/19/2023, 8:30 PM

compromise (see “Password Security” below) and stronger forms of

authentication are sometimes needed. Identifying someone only by

something they have, such as a key or a card, can also be problematic.

When that identifying token is lost or stolen, the identity can be easily

stolen. The final factor, something you are, is much harder to

compromise. This factor identifies a user through the use of a physical

characteristic, such as an eye‐scan or fingerprint. Identifying someone

through their physical characteristics is called biometrics.

A more secure way to authenticate a user is to do multi‐factor

authentication. By combining two or more of the factors listed above, it

becomes much more difficult for someone to misrepresent themselves.

An example of this would be the use of an RSA SecurID token. The RSA

device is something you have and will generate a new access code every

60 seconds. To log in to an information resource using the RSA device,

you combine something you know, a four‐digit PIN, with the code

generated by the device. The only way to properly authenticate is by both

knowing the code and having the RSA device.

Access Control

Once a user has been authenticated, the next step is to ensure that they

can only access the information resources that are appropriate. This is

done through the use of access control. Access control determines which

users are authorized to read, modify, add, and/or delete information.

Several different access control models exist. Here we will discuss two:

the access control list (ACL) and role‐based access control (RBAC).

For each information resource that an organization wishes to manage, a

list of users who have the ability to take specific actions can be created.

This is an access control list, or ACL. For each user, specific capabilities

are assigned, such as read, write, delete, or add. Only users with those

capabilities are allowed to perform those functions. If a user is not on the

list, they have no ability to even know that the information resource

exists.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

4 of 20 2/19/2023, 8:30 PM

ACLs are simple to understand and maintain. However, they have several

drawbacks. The primary drawback is that each information resource is

managed separately, so if a security administrator wanted to add or

remove a user to a large set of information resources, it would be quite

difficult. And as the number of users and resources increase, ACLs

become harder to maintain. This has led to an improved method of access

control, called role‐based access control, or RBAC. With RBAC, instead of

giving specific users access rights to an information resource, users are

assigned to roles and then those roles are assigned the access. This allows

the administrators to manage users and roles separately, simplifying

administration and, by extension, improving security.

Comparison of ACL and RBAC

Access control list (ACL) and role‐based access control (RBAC)

Encryption

Many times, an organization needs to transmit information over the

Internet or transfer it on external media such as a CD or flash drive. In

these cases, even with proper authentication and access control, it is

possible for an unauthorized person to get access to the data. Encryption

is a process of encoding data upon its transmission or storage so that only

authorized individuals can read it. This encoding is accomplished by a

computer program, which encodes the plain text that needs to be

transmitted; then the recipient receives the cipher text and decodes it

(decryption). In order for this to work, the sender and receiver need to

agree on the method of encoding so that both parties can communicate

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

5 of 20 2/19/2023, 8:30 PM

properly. Both parties share the encryption key, enabling them to encode

and decode each other’s messages. This is called symmetric key

encryption. This type of encryption is problematic because the key is

available in two different places.

An alternative to symmetric key encryption is public key encryption. In

public key encryption, two keys are used: a public key and a private key.

To send an encrypted message, you obtain the public key, encode the

message, and send it. The recipient then uses the private key to decode it.

The public key can be given to anyone who wishes to send the recipient a

message. Each user simply needs one private key and one public key in

order to secure messages. The private key is necessary in order to decrypt

something sent with the public key.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

6 of 20 2/19/2023, 8:30 PM

Public Key Encryption

Sender uses public key to encode, and reader uses private key to decode

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

7 of 20 2/19/2023, 8:30 PM

Password Security

So why is using just a simple user ID/password not considered a

secure method of authentication? It turns out that this single‐factor

authentication is extremely easy to compromise. Good password

policies must be put in place in order to ensure that passwords

cannot be compromised. Below are some of the more common

policies that organizations should put in place.

• Require complex passwords. One reason passwords are

compromised is that they can be easily guessed. A study found

that the top three passwords people used in 2012 were

“password,” 123456 and 12345678 (Gallagher, 2012). A

password should not be simple, or a word that can be found in a

dictionary. One of the first things a hacker will do is try to crack

a password by testing every term in the dictionary. Instead, a

good password policy is one that requires the use of a minimum

of eight characters, and at least one uppercase letter, one

special character, and one number.

• Change passwords regularly. It is essential that users change

their passwords on a regular basis. Users should change their

passwords every 60 to 90 days, ensuring that any passwords

that might have been stolen or guessed will not be able to be

used against the company.

• Train employees not to give away passwords. One of the

primary methods that is used to steal passwords is to simply

figure them out by asking the users or administrators.

Pretexting occurs when an attacker calls a helpdesk or security

administrator and pretends to be a particular authorized user

having trouble logging in. Then, by providing some personal

information about the authorized user, the attacker convinces

the security person to reset the password and tell him what it is.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

8 of 20 2/19/2023, 8:30 PM

Another way that employees may be tricked into giving away

passwords is through email phishing. Phishing occurs when a

user receives an email that looks as if it is from a trusted source,

such as their bank, or their employer. In the email, the user is

asked to click a link and log in to a website that mimics the

genuine website and enter their ID and password, which are

then captured by the attacker.

Backups

Another essential tool for information security is a comprehensive backup

plan for the entire organization. Not only should the data on the

corporate servers be backed up, but individual computers used

throughout the organization should also be backed up. A good backup

plan should consist of several components.

• A full understanding of the organizational information resources.

What information does the organization actually have? Where is it

stored? Some data may be stored on the organization’s servers, other

data on users’ hard drives, some in the cloud, and some on third‐

party sites. An organization should make a full inventory of all of the

information that needs to be backed up and determine the best way

to back it up.

• Regular backups of all data. The frequency of backups should be

based on how important the data is to the company, combined with

the ability of the company to replace any data that is lost. Critical

data should be backed up daily, while less critical data could be

backed up weekly.

• Off‐site storage of backup data sets. If all of the backup data is being

stored in the same facility as the original copies of the data, then a

single event, such as an earthquake, fire, or tornado, would take out

both the original data and the backup! It is essential that part of the

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

9 of 20 2/19/2023, 8:30 PM

backup plan is to store the data in an off‐site location.

• Test of data restoration. On a regular basis, the backups should be

put to the test by having some of the data restored. This will ensure

that the process is working and will give the organization confidence

in the backup plan.

Besides these considerations, organizations should also examine their

operations to determine what effect downtime would have on their

business. If their information technology were to be unavailable for any

sustained period of time, how would it impact the business?

Additional concepts related to backup include the following:

• Universal Power Supply (UPS). A UPS is a device that provides

battery backup to critical components of the system, allowing them

to stay online longer and/or allowing the IT staff to shut them down

using proper procedures in order to prevent the data loss that might

occur from a power failure.

• Alternate, or “hot” sites. Some organizations choose to have an

alternate site where an exact replica of their critical data is always

kept up to date. When the primary site goes down, the alternate site

is immediately brought online so that there is little or no downtime.

As information has become a strategic asset, a whole industry has sprung

up around the technologies necessary for implementing a proper backup

strategy. A company can contract with a service provider to back up all of

their data or they can purchase large amounts of online storage space and

do it themselves. Technologies such as storage area networks and archival

systems are now used by most large businesses.

Firewalls

Another method that an organization should use to increase security on

its network is a firewall. A firewall can exist as hardware or software (or

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

10 of 20 2/19/2023, 8:30 PM

both). A hardware firewall is a device that is connected to the network

and filters the packets based on a set of rules. A software firewall runs on

the operating system and intercepts packets as they arrive to a computer.

A firewall protects all company servers and computers by stopping

packets from outside the organization’s network that do not meet a strict

set of criteria. A firewall may also be configured to restrict the flow of

packets leaving the organization. This may be done to eliminate the

possibility of employees watching YouTube videos or using Facebook from

a company computer.

Network Demilitarized Zone (DMZ)

Partially secured section of a network

Some organizations may choose to implement multiple firewalls as part of

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

11 of 20 2/19/2023, 8:30 PM

their network security configuration, creating one or more sections of

their network that are partially secured. This segment of the network is

referred to as a DMZ, borrowing the term demilitarized zone from the

military, and it is where an organization may place resources that need

broader access, but still need to be secured.

Intrusion Detection Systems

Another device that can be placed on the network for security purposes

is an intrusion detection system, or IDS. An IDS does not add any

additional security; instead, it provides the functionality to identify if the

network is being attacked. An IDS can be configured to watch for specific

types of activities and then alert security personnel if that activity occurs.

An IDS also can log various types of traffic on the network for analysis

later. An IDS is an essential part of any good security setup.

Virtual Private Networks

Using firewalls and other security technologies, organizations can

effectively protect many of their information resources by making

them invisible to the outside world. But what if an employee working

from home requires access to some of these resources? What if a

consultant is hired who needs to do work on the internal corporate

network from a remote location? In these cases, a virtual private

network (VPN) is called for.

A VPN allows a user who is outside of a corporate network to take a

detour around the firewall and access the internal network from the

outside. Through a combination of software and security measures,

this lets an organization allow limited access to its networks while at

the same time ensuring overall security.

Physical Security

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

12 of 20 2/19/2023, 8:30 PM

An organization can implement the best authentication scheme in the

world, develop the best access control, and install firewalls and intrusion

prevention, but its security cannot be complete without implementation

of physical security. Physical security is the protection of the actual

hardware and networking components that store and transmit

information resources. To implement physical security, an organization

must identify all of the vulnerable resources and take measures to ensure

that these resources cannot be physically tampered with or stolen. These

measures include the following.

• Locked doors. It may seem obvious, but all the security in the world

is useless if an intruder can simply walk in and physically remove a

computing device. High‐value information assets should be secured

in a location with limited access.

• Physical intrusion detection. High‐value information assets should be

monitored through the use of security cameras and other means to

detect unauthorized access to the physical locations where they

exist.

• Secured equipment. Devices should be locked down to prevent them

from being stolen. One employee’s hard drive could contain all of

your customer information, so it is essential that it be secured.

• Environmental monitoring. An organization’s servers and other high‐

value equipment should always be kept in a room that is monitored

for temperature, humidity, and airflow. The risk of a server failure

rises when these factors go out of a specified range.

• Employee training. One of the most common ways thieves steal

corporate information is to steal employee laptops while employees

are traveling. Employees should be trained to secure their equipment

whenever they are away from the office.

Security Policies

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

13 of 20 2/19/2023, 8:30 PM

Besides the technical controls listed above, organizations also need to

implement security policies as a form of administrative control. In fact,

these policies should really be a starting point in developing an overall

security plan. A good information‐security policy lays out the guidelines

for employee use of the information resources of the company and

provides the company recourse in case an employee violates a policy.

According to the SANS Institute, a good policy is “a formal, brief, and

high‐level statement or plan that embraces an organization’s general

beliefs, goals, objectives, and acceptable procedures for a specified

subject area.” Policies require compliance; failure to comply with a policy

will result in disciplinary action. A policy does not lay out the specific

technical details, instead it focuses on the desired results. A security

policy should be based on the guiding principles of confidentiality,

integrity, and availability (SANS Institute,

n.d.).

A good example of a security policy that many will be familiar with is a

web use policy. A web use policy lays out the responsibilities of company

employees as they use company resources to access the Internet.

A security policy should also address any governmental or industry

regulations that apply to the organization. For example, if the

organization is a university, it must be aware of the Family Educational

Rights and Privacy Act (FERPA), which restricts who has access to student

information. Health care organizations are obligated to follow several

regulations, such as the Health Insurance Portability and Accountability

Act (HIPAA).

A good resource for learning more about security policies is the SANS

Institute’s Information Security Policy Page.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

14 of 20 2/19/2023, 8:30 PM

Mobile Security

As the use of mobile devices such as smartphones and tablets

proliferates, organizations must be ready to address the unique

security concerns that the use of these devices bring. One of the

first questions an organization must consider is whether to allow

mobile devices in the workplace at all. Many employees already have

these devices, so the question becomes: Should we allow employees

to bring their own devices and use them as part of their employment

activities? Or should we provide the devices to our employees?

Creating a BYOD (“Bring Your Own Device”) policy allows employees

to integrate themselves more fully into their job and can bring higher

employee satisfaction and productivity. In many cases, it may be

virtually impossible to prevent employees from having their own

smartphones or iPads in the workplace. If the organization provides

the devices to its employees, it gains more control over use of the

devices, but it also exposes itself to the possibility of an

administrative (and costly) mess.

Mobile devices can pose many unique security challenges to an

organization. Probably one of the biggest concerns is theft of

intellectual property. For an employee with malicious intent, it would

be a very simple process to connect a mobile device either to a

computer via the USB port, or wirelessly to the corporate network,

and download confidential data. It would also be easy to secretly

take a high‐quality picture using a built‐in camera.

When an employee does have permission to access and save

company data on his or her device, a different security threat

emerges: that device now becomes a target for thieves. Theft of

mobile devices (in this case, including laptops) is one of the primary

methods that data thieves use.

So what can be done to secure mobile devices? It will start with a

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

15 of 20 2/19/2023, 8:30 PM

good policy regarding their use. According to a 2013 SANS study,

organizations should consider developing a mobile device policy that

addresses the following issues: use of the camera, use of voice

recording, application purchases, encryption at rest, Wi‐Fi

autoconnect settings, bluetooth settings, VPN use, password

settings, lost or stolen device reporting, and backup (SANS Institute,

n.d.).

Besides policies, there are several different tools that an organization

can use to mitigate some of these risks. For example, if a device is

stolen or lost, geolocation software can help the organization find it.

In some cases, it may even make sense to install remote data‐

removal software, which will remove data from a device if it becomes

a security risk.

Usability

When looking to secure information resources, organizations must

balance the need for security with users’ need to effectively access and

use these resources. If a system’s security measures make it difficult to

use, then users will find ways around the security, which may make the

system more vulnerable than it would have been without the security

measures! Take, for example, password policies. If the organization

requires an extremely long password with several special characters, an

employee may resort to writing it down and putting it in a drawer since it

will be impossible to memorize.

Personal Information Security

There is no way to have 100% security, but there are several simple steps

we, as individuals, can take to make ourselves more secure.

• Keep your software up to date. Whenever a software vendor

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

16 of 20 2/19/2023, 8:30 PM

determines that a security flaw has been found in their software,

they will release an update to the software that you can download to

fix the problem. Turn on automatic updating on your computer to

automate this process.

• Install antivirus software and keep it up to date. There are many

good antivirus software packages on the market today, including free

ones.

• Be smart about your connections. You should be aware of your

surroundings. When connecting to a Wi‐Fi network in a public place,

be aware that you could be at risk of being spied on by others

sharing that network. It is advisable not to access your financial or

personal data while attached to a Wi‐Fi hotspot. You should also be

aware that connecting USB flash drives to your device could also put

you at risk. Do not attach an unfamiliar flash drive to your device

unless you can scan it first with your security software.

• Back up your data. Just as organizations need to back up their data,

individuals need to as well. And the same rules apply: do it regularly

and keep a copy of it in another location. One simple solution for this

is to set up an account with an online backup service, such as Mozy

or Carbonite, to automate your backups.

• Secure your accounts with two‐factor authentication. Most email

and social media providers now have a two‐factor authentication

option. The way this works is simple: When you log in to your

account from an unfamiliar computer for the first time, it sends you a

text message with a code that you must enter to confirm that you

are really you. This means that no one else can log in to your

accounts without knowing your password and having your mobile

phone with them.

• Make your passwords long, strong, and unique. For your personal

passwords, you should follow the same rules that are recommended

for organizations. Your passwords should be long (eight or more

characters) and contain at least two of the following: uppercase

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

17 of 20 2/19/2023, 8:30 PM

letters, numbers, and special characters. You also should use

different passwords for different accounts, so that if someone steals

your password for one account, they still are locked out of your

other accounts.

• Be suspicious of strange links and attachments. When you receive an

email, tweet, or Facebook post, be suspicious of any links or

attachments included there. Do not click on the link directly if you

are at all suspicious. Instead, if you want to access the website, find

it yourself and navigate to it directly.

You can find more about these steps and many other ways to be secure

with your computing by going to Stop. Think. Connect. This website is

part of a campaign that was launched in October of 2010 by the STOP.

THINK. CONNECT. Messaging Convention in partnership with the US

government, including the White House.

Summary

As computing and networking resources have become more and more an

integral part of business, they have also become a target of criminals.

Organizations must be vigilant with the way they protect their resources.

The same holds true for us personally: as digital devices become more

and more intertwined with our lives, it becomes crucial for us to

understand how to protect ourselves.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

18 of 20 2/19/2023, 8:30 PM

Study Questions

1. Briefly define each of the three members of the information

security triad.

2. What does the term authentication mean?

3. What is multi‐factor authentication?

4. What is role‐based access control?

5. What is the purpose of encryption?

6. What are two good examples of a complex password?

7. What is pretexting?

8. What are the components of a good backup plan?

9. What is a firewall?

10. What does the term physical security mean?

References

Gallagher, S. (2012, November 3) Born to be breached. Retrieved on May

15, 2013, from http://arstechnica.com/information‐technology/2012/11

/born‐to‐be‐breached‐the‐worst‐passwords‐are‐still‐the‐most‐common/

SANS Institute (n.d.). A short primer for developing security policies.

Retrieved from http://www.sans.org/security‐resources/policies/

SANS Institute (n.d.). SANS Institute’s mobile device checklist. Retrieved

from www.sans.org/score/checklists/mobile‐device‐checklist.xls

Licenses and Attributions

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

19 of 20 2/19/2023, 8:30 PM

Chapter 6: Information Systems Security (https://www.saylor.org

/site/textbooks

/Information%20Systems%20for%20Business%20and%20Beyond )

from Information Systems for Business and Beyond by David T. Bourgeois

is available under a Creative Commons Attribution 3.0 Unported

(https://creativecommons.org/licenses/by/3.0/) license. © 2014, David

T. Bourgeois. UMGC has modified this work and it is available under the

original license.

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the

validity or integrity of information located at external sites.

Information Systems Security https://leocontent.umgc.edu/content/umuc/tus/ifsm/ifsm300/2228/learni…

20 of 20 2/19/2023, 8:30 PM

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/

https://creativecommons.org/licenses/by/3.0/