Information systems (IS)
A. How leveraging an IS solution will help Soliel Panel Distribution achieve operational efficiency
In the computing and business worlds, information systems (IS) are assets that help collect, process, store and communicate data/information. These assets can be people, computer hardware or software, communication networks, IT services, or procedures. Common types of current IS include enterprise systems (like ERP, CRM and SCM), expert systems, e-commerce sites, data analytics, groupware, databases, data warehouses, and office automation software (Wang, 2013). Businesses are strategically adopting IS solutions to achieve and sustain superior competitive advantages (CA) in the dimensions of information quality, operational efficiency, innovation, and market share. IS solutions have significant consequences for businesses that embrace them to strategically prepare for and respond to evolving internal and external changes (Alshubaily & Altameem, 2017). Therefore, managers stand to gain a sustainable edge against rivals if they carefully consider and implement such systems.
Wang (2013) argues that IS solutions play a major role in helping businesses remain competitive in a number of ways. To start with, IS solutions (such as ERP and SCM) provides employees with consistent, accurate, reliable and up-to-date information and business intelligence. Cash transactions, sales and marketing, human resources management and payroll, manufacturing processes, inventory management, order fulfillment, and other routine business processes become more efficient and cost-effective due to streamlined information-driven operations. For example, reports from an ERP may be used to ascertain the human resources and techniques that contribute most to product or service delivery. Businesses can thus react to evolving internal and external changes more quickly and efficiently; therefore, IS maximizes agility. Secondly, office automation systems facilitate faster and accurate completion of the day-to-day tasks, including word processing, publishing and spreadsheets (Wang, 2013).
Cloud-based business systems, groupware, teleconferencing, and virtual private networks (VPNs) have emerged as powerful solutions to secure and reliable delivery of “anytime, anywhere” access to information and IT services to mobile employees. This means that employees are more connected, productive and efficient within and beyond their offices. Consequently, these resources are crucial to improving the quality and cost-effectiveness of product or service delivery, which bolsters customer satisfaction and competitiveness (Alshubaily & Altameem, 2017). Enterprises leverage secure and reliable IS solutions to establish effective and efficient processes with their partners, customers, suppliers, vendors, regulators, and employees. These business stakeholders can easily and seamlessly interact and collaborate using interactive calendaring, document sharing, email, videoconferencing, VoIP, and other integrated data, voice and video technologies, which boosts job productivity and satisfaction, cost savings, customer service, and product delivery among other operational efficiency performance measures (Wang, 2013). Mohammed and Hu (2015) asserts that converged data, voice and video IP networks minimizes the prevalence of project delays, communication problems, and revenue loss. For example, modern IP communication technologies minimize travel needs, thus more time is spent pursuing core business goals. In addition, reduced travel implies cost savings.
A1. How BPM enables the development of a business process and system configuration concurrently in relation to development and implementation of SolDistHR
Processes are fundamental business assets, thus they must be properly understood, developed and managed to deliver value to stakeholders, especially customers, employees, suppliers and partners. BPM uses different people, technologies and techniques to define, discover, analyze, model, automate, manage, improve, measure or monitor, and optimize business processes (Brocke & Rosemann, 2014). Basically, BPM adopts a lifecycle made up of the following stages:
- Design: work with an existing or new process and visualize it to understand the workflows and areas worth improvement.
- Modeling: theoretically test different situations.
- Execution: develop and automate the process.
- Monitoring: continually assess how the process is functioning.
- Optimization: adjust the process to meet incorporate essential changes.
Palmer (2014) argues that BPM entails a deliberate and collaborative definition, visualization, innovation, management, and improvement of business processes to drive better outcomes, align business strategy and processes, and create value. BPM advocates for application of a process-oriented approach to development, implementation, optimization and improvement of management systems to meet customer requirements and expectations (Palmer, 2014). As such, BPM is critical to configuration of a system in a way that promotes customer satisfaction.
BPM is sometimes applied in software development to support identification, analysis and prioritization of potential improvement opportunities. The software team at Soliel may use BPM to perform the following tasks (borrowed from Brocke & Rosemann, 2014):
- Identify or define existing or new HR processes and functions.
- Design and visualize the to-be HR processes and functions, including process flows, standard operating procedures, alerts, and SLAs among other important areas. What-if-analysis and if-else tools may be used to determine where areas of improvement.
- Determine the success criteria.
- Analyze various options to ascertain and select the optimal improvement.
- Develop and implement the selected improvement.
- Monitor the implemented improvement to understand performance.
- Optimize the implemented improvement to address challenges and exploit opportunities over time.
Therefore, in the context of SolDistHR development and implementation, BPM may be used to help Soliel better “design, model, execute, monitor, and optimize” the processes of HR management and orientation. This way, Soliel could realize improved outcome of the SolDistHR project aligned with strategic business goals.
A2. How each of the 5 steps of change management could be applied to the development of SolDistHR
Change management may have three implications depending on the context of use in software projects. In project management, it means controlling changes to code and documentation among other artifacts – usually called configuration management (like version control). The second meaning applies to implementation of a new organizational change or project. Here, change management necessitates communication plans, stakeholder involvement and acceptance, and user adoption. The last meaning applies to managing change requests in the course of software development process (Francino, 2010). This question focuses on the third context of change management – managing change requests.
Change requests are inevitable in any software development project. Changes in user requirements, specifications, design or code may lead to excessive time and cost overruns if they are poorly managed (H.Kerzner & R.Kerzner, 2017). Therefore, having an effective change management plan is a critical success factor. The following change management steps could be applied to the development of SolDistHR (borrowed from Schiesser, 2002):
- Filtering and documentation of change requests: gather necessary information regarding a change request to ensure that later assessment and estimation processes are accurate.
- Managing change: assess the objectives and resources (time, cost, personnel and technological tools) required to successfully achieve the change.
- Chairing the “Change Advisory Board” or CAB: all the risks and their probability of occurrence and impact levels of the requested change should be adequately analyzed prior to actual implementation. A number of answers must be answered to determine the feasibility of change implementation. For instance, what are the consequences of not implementing the change? What is the impact on the delivery schedule? Is there potential service interruption? Are there adequate resources? Based on the findings, the CAB may approve or disapprove the change and communicate the decision.
- Executing the approved change: plan, build, implement, test, deploy, and close the request for change.
- Performing post-implementation monitoring: verify that the change has been properly deployed and provide necessary documentation.
A3. 4 key contributors to the project and each contributor’s responsibilities within the development of SolDistHR
Effective identification, involvement and commitment of different stakeholders is one of the major enablers of successful project delivery. It is important to assign clear roles and responsibilities to people engaged in a project. Attention should be focused on business, management, process, and technical interests (DSDM Consortium, 2008). The following are four key contributors to the SolDistHR project in addition to their corresponding roles and responsibilities (borrowed from DSDM Consortium, 2008):
- Business sponsor: the senior-most business role at the project level. He/she is the overall project champion dedicated to the proposed project and the delivery approach. Specifically tasked with the business case, ownership of the project once delivered, and realization of expected benefits. The business sponsor ought to be a person who holds a senior role in an organization so that he/she can resolve escalated issues, including stakeholder conflicts, human resourcing, and financial decisions.
- Project manager: responsible for every aspect of IS project or solution delivery, thus he/she will plan, manage and coordinate the entire working environment throughout the development process. The following are the specific responsibilities:
- Communicate with other stakeholders, including business management, development teams, business sponsor, and others in regular manner.
- Project planning – time and budget scheduling, communication planning, and human resource planning.
- Risk management and escalating critical issues to senior roles as necessary.
- Manage project configuration.
- Motivate teams to focus on and meet objectives.
- Handle problems forwarded by the “solution development teams”.
- Coach the development teams, particularly when handling challenging situations.
- Business analyst: ensure that technical and business needs are decisively and accurately analyzed and reflected in the solution. He/she facilitates communications among stakeholders (especially the technical and business persons) to ensure active involvement in the project evolution process. In addition, he/she ensures that the business and technical implications of everyday decisions are appropriately thought through.
- Solution developers: interpret functional and non-technical requirements and translate them into a solution that can be deployed. The role is actively involved throughout the project, working with technical and business roles to develop the solution iteratively and incrementally. They also provide the documentation needed to support the supported upon roll out. They also perform the following tasks:
- Record and implement approved change requests.
- Participate in all quality assurance efforts.
- Test their output before subsequent independent testing.
B1. System development method selected for implementing SolDistHR
Today, organizations face increasing pressure to deliver functional solutions within tight timescales while ensuring quality. As such, the processes used in the development of today’s solutions must be sufficiently agile and iterative to deliver the business needs as quickly as they are required. DSDM and scrum have been applied as viable approaches to IT projects because of their principle of delivering minimum operational products within a short timeframe and then evolving them as more requirements become apparent (DSDM Consortium, 2008). Evidently, the Soliel scenario is characterized by an urgent need for a HR solution to address emerging challenges triggered by rapid growth in operations and employee workforce. As such, an agile development approach (DSDM to be specific) is the proposed methodology as it will enable Soliel to complete its project successfully within a short timeframe and without critical quality issues.
Other than the benefits described above, DSDM has a host of strengths that make it an ideal methodology for implementing SolDistHR. To start with, DSDM delivers a minimum viable solution within two to three weeks followed by iterative and incremental releases until the final product is deployed (Rao, Naidu, & Chakka, 2011). Moran (2015) asserts that DSDM brings together diverse capabilities in the dimensions of task management as well as continuous coding, delivery, integration, and testing to facilitate faster development. It avoids the high incidence of project failure caused by batch management by adopting focused, continuous delivery while accepting contributions from various stakeholders to better manage change requests, discover and fix bugs, meet stakeholders’ needs, eliminate irrelevant features, and ensure quality. With DSDM you can speed up delivery, learn faster, minimize costs, optimize ROI, and beat competition. Fixing smaller problems at a time may help minimize the error rate and developers tend to experience lower stress levels (Moran, 2015). As such, Soliel may get a working solution within a few weeks and the entire software is built faster. A lean startup technique is therefore advisable to evaluate and evolve the new solution towards smooth and faster deployment. Furthermore, DSDM would overcome the frustration associated with delivery of a solution that does not meet business and user expectations, thus solution ownership by stakeholders is expected to be higher. It is worth noting that an early partial solution would enable Soliel enjoy valuable features as early and as regular as possible, this driving faster ROI.
On the downside, DSDM involves costs related to development team training. Developers must have version control knowledge and deliver quick release-ready codes and functionalities. Secondly, excessive “unknowns” may lead to predictability issues in the quantification of required time, cost, and workforce (Rao et al., 2011). Thirdly, a lot of interactions are involved throughout the project since agile approaches advocate for close cooperation. While this contributes to meeting user expectations, it may be extremely time-consuming and commitment intensive. Thirdly, potential lack of adequate client participation negatively affects delivery timeliness and product quality because developers may focus on wrong requirements. DSDM promotes a less detailed documentation, thus new team members may experience difficulties as they try to understand certain features (Moran, 2015). Therefore, the software team at Soliel must prioritize the following measures to successfully deliver SolDistHR: focus on business need, never compromise deadline and quality, excellent team structure, team empowerment and collaboration, effective planning, change management, adequate and regular testing, continuous communication, and client involvement.
B2. How each of the milestones in the selected system development method would be executed as it relates to the implementation of SolDistHR
The DSDM lifecycle is entirely iterative and incremental, thus the solution is delivered sequentially. Urgent and critical business needs are delivered early while the less critical features are addressed later. DSDM has several variations of project development stages. However, the framework mainly comprises of the following phases and associated products/deliverables/milestones (DSDM Consortium, 2008):
- Pre-Project: a formalized “Terms of Reference” that identifies and describes the business driver or problem, objectives and scope, business sponsor, and solution-business alignment is created and approved to justify feasibility assessment.
- Feasibility investigation:
- Determine the viability of the proposed project from technical and business perspectives by investigating the costs (like time and funds) and benefits involved.
- Possible delivery, governance and organization approaches as well as first-cut cost and timescale estimates are outlined.
- Establishing firm foundations:
- Identification and prioritization (using strategies such as MoSCoW – Must Have, Should Have, Could Have, and Won’t Have) of high-level project requirements – “Prioritized Requirements List”..
- Description of business processes the solution will support.
- Identification of data/information that the solution will create, use or update.
- Description of solution development lifecycle and associated management and communication techniques.
- Solution architecture, including the infrastructural elements and technical standards.
- Quality assurance strategies.
- Build appropriate project governance and organization mechanism.
- Baseline the solution development schedule.
- Risk management plan.
- Exploration: intended to support iterative and incremental investigation of detailed business needs and translating them into a feasible solution. Specific outcomes include:
- A functional preliminary solution as an early demonstration of the final solution.
- If necessary, solution models may be created to demonstrate how business needs will be met.
- An early provisional delivery may be performed if justified.
- Evolutionally development or engineering:
- Iterative and incremental evolution of the preliminary solution to achieve a fully operational system. Time-boxed sprints are adopted to support weekly or bi-weekly functional releases.
- Refined products essential to successful operation and support of the final solution in production.
- A review of overall solution alignment with business and technical performance objectives.
- The complete solution (or its increment) is deployed and configured into production or live business environment.
- End user training.
- Solution documentation.
- Project closure
- Post-project: a continuous reflection of solution performance in terms of created business value, preferably after 3-6 months after deployment.
C. Potential internal and external security threats after SolDistHR implementation
Upon implementation, SolDistHR faces a number of internal and external security threats. Whitman (2003) postulates that there are three major types of insider software security threats, namely negligence, involuntary behavior and human error, and malicious acts. Employees and authorized third-parties (such as suppliers and vendors) who do not understand information security threats may leak, modify or delete data negligently or involuntarily. However, authorized people with sufficient information security awareness may intentionally leak, steal, modify or delete data. Insiders may become victims of social engineering schemes and unknowingly expose confidential data. They may also carry confidential data out of office using USB sticks, CD/DVDs or tablets, increasing the chances of it being accessed by unauthorized parties (Whitman, 2003). Even worse, employees (such as system administrators) with privileged rights may intentionally fail to install essential security updates and patches, exposing the system to security attacks. In addition, discontented insiders or ex-employees may open backdoors into other computer systems using malware codes to persistently steal or delete data. Malware may also be propagated through unsafe use of internet and unprotected personal devices at work (Whittle, 2008). Therefore, Soliel employees and third-parties are potential threat agents and they may perpetrate serious information security breaches negligently, accidentally or maliciously.
On the other hand, security threats may be manifested by external agents such as hackers, criminal gangs, hostile business rivals, or state-sponsored actors. For example, skilled hackers tend to carefully chose lucrative targets in that they can get high financial returns after a successful data breach. State-sponsored agents are usually motivated by data/information as opposed to money. They may exploit software errors, well-known vulnerabilities, unencrypted data, or default configuration to successfully execute attacks (Schultz, 2001). Hackers and hacktivists may also bring down the infrastructure that hosts mission-critical software systems (like SolDistHR in the current case) for monetary gain, fun or political reasons. Prolonged system outages and severe data breaches imply disruption of operations, customer dissatisfaction, revenue loss, ruined reputation, or even business closure (Takanen, Demott, & Miller, 2008). Therefore, SolDistHR faces external security threats that may be manifested through confidential data theft and subsequent financial liabilities.
D. Protection measures against digital and physical threats after the implementation of SolDistHR
There are several ways through which the above-mentioned security threats may be prevented or mitigated. Intrusion testing technologies may be used to assess the vulnerabilities in networks and software systems. Intrusion detection and intrusion prevention systems (ID&IPS) provide alerts in case of any suspicious activity or traffic on a network (Schultz, 2001). Malicious Web-related threats should be blocked using security tools such as firewalls and proxy servers. Database activities should be monitored and logged to detect potential instances of data leakage and unauthorized data creation, modification or deletion. A strong user authentication and authorization scheme should be deployed and devices kept up-to-date (Takanen et al., 2008). Restricted access to computer systems minimizes both internal and external attacks (Schultz, 2001).
Information security training should be directed at employees to enable them recognize common security threats, especially social engineering tricks such as spamming and SMS-based password requests. Security-conscious work practices and culture should be promoted. Enterprise IT systems and security programs should be regularly updated and patched to tackle potential vulnerabilities and increase their security levels (Whittle, 2008). According to Whittle (2008), excessive system and database privileges should be removed to ensure that every privilege matches a specific job function. Moreover, ex-employees should have their privileges revoked after they exit to avoid misuse of such privileges to wreak havoc. Employees should be monitored closely to make sure that they do not abuse their privileges (Whittle, 2008). Personnel screening should be regularly conducted before and throughout an individual’s career to reduce the threat of insider attacks (Schultz, 2001).
Strong data encryption should be prioritized to ensure that leaked data is not accessed or used by unauthorized actors. It also ensures that data being transmitted and at rest is scrambled and thus worthless to attackers. Software should be adequately tested to remove flaws that may be exploited by attackers. Poor input validation is a common software flaw that can be exploited to launch SQL attacks. All default software configurations should be removed because they are well-known by attackers and thus they may be exploited (Takanen et al., 2008).
Whittle (2008) suggests formulation and enforcement of a policy to control the type of personal devices that may be used at the workplace – BYOD policy. Other policies should focus on acceptable or safe Web/internet usage, Wi-Fi access, and data classification.
E. An effective approach for both troubleshooting and restoring SolDistHR after system failures
Troubleshooting is mainly intended to identify the causes of a system failure and correcting them to get the system back into the desired state of operation. It is important to solve emerging problems efficiently, economically and quickly to prevent instances of prolonged system outage, which could trigger serious operational problems, poor customer service, revenue loss, and other negative impacts (Clarke, Tryfonas, & Dodge, 2012). There are many approaches to system troubleshooting and restoration that may be applied to the SolDistHR following a failure, but the ultimate goal is to find the problem or cause and regain functionality. Clarke et al. (2012) recommend adoption of a clear, systematic approach made up of the following major phases:
- Verify that there is an actual problem: a problem is usually indicated by a decline in system performance. Verifying the problem may help determine whether a problem really exists or not to prevent wastage of effort and time on inexistent problems. In fact, some operators raise alarm due to lack of adequate system understanding, thus the need for verification.
- Identify and isolate the cause(s) of the problem: If a problem exists, its cause should be identified and isolated based on how system performance or mode of operation has deviated from normal.
- Correct the cause(s) of the problem: one or more causes of the problem may be identified. The actual causes (as opposed to impacts or symptoms) of the problem should be corrected efficiently, economically and quickly to restore the system back to normal.
- Confirm that the problem has been successfully corrected: verify that the system operates normally.
- Suggest strategies to prevent future failures: follow up to come up with a plan that can prevent or mitigate future recurrences of the problem. The plan should seek to completely address the core causes of the problem.
F. Importance and function of problem management in supporting SolDistHR once it is implemented
Once it is implemented, SolDistHR is subject to several problems that need to be effectively managed. Generally, a problem causes one or more undesired incidents. Problem management basically refers to the process of identification, classification, assessment of the impacts and severity levels, resolution, and documentation of problems that occur or could occur during the life of an IT system or service. It is primarily aimed at the following: preventing problems and subsequent consequences from occurring; eliminating recurring problems; and mitigating the problems that cannot be wholly prevented. Problem management also seeks to ensure that proper control measures are used in the implementation of selected resolutions. Problem management also maintain documentations of resolved and unresolved problems and their appropriate resolutions or workarounds to help organizations reduce the incidence and impacts of incidents in the future. As such, it strongly interfaces with the principle of knowledge management (KM), change management, and incident management (BMC Software, 2016b).
Service or help desk is the major function of problem management because it is the single contact point for service consumers or users to report problems and/or incidents and request resolution. This point helps handle incidents on the basis of their business impact – urgent and high-critical incidents are handled first while instantly and sequentially addressing other low-impact issues. To achieve this, there are separate tiers based on the estimated priority of different issues. Additionally, it promote knowledge transfer (BMC Software, 2016b).
Problem management is an important process in the support of SolDistHR because it would facilitate the timely and efficient identification, resolution and documentation of the root cause(s) of incidents. It will also help ensure effective communication in the course of managing problems and incidents. Problem management will drive considerable value to Soliel by increasing the quality and availability of SolDistHR; therefore, it promotes less service disruption, increased staff efficiencies, and improved user satisfaction. Documenting problems and incidents that have been resolved is equivalent to maintaining a knowledge base that may be used to accelerate future resolution times and efficiencies, identify lasting solutions to prevent recurrences, and reducing the total number of problems/incidents.
G. Steps of incident management and how they would be applied to address issues and mitigate future issues related to SolDistHR
Incident management and service desk are closely aligned. When an IT service fails or is disrupted such that it cannot deliver the intended performance levels, it should be quickly restored to normal operation. Conditions that can trigger service disruption should also be prevented to avoid or mitigate actual service outage. An incident management process may follow the following major steps (BMC Software, 2016a):
- Incident identification: users report incidents to the service desk through walk-ups, phone calls, support chats, emails, or service services. System scanning tools may also report incidents. The help desk determines whether the issue is actually an incident or a mere request because the two are handled differently.
- Incident logging: if the issue is ascertained to be an incident, then it is logged as a pending ticket with information such as the name and contact of the user, incident description, and the time and date when the incident was reported.
- Incident categorization: the category and priority (based on incidence of occurrence, impact and severity levels, and urgency) of the logged incident is assigned to ensure that it is properly sorted, modeled and tracked.
- Incident response:
- Initial diagnosis: applicable to situations when the user is able to describe his/her problem and answer all troubleshooting questions – first-tier support.
- Incident escalation: applied when advanced support is deemed necessary. A skilled technician is sent on-site.
- Evaluation and diagnosis: staff applies a solution (such as installing a software patch or changing software configurations/settings) after diagnosing the incident.
- Resolution and recovery: the service is restored to the desired SLA level.
- Incident closure: the incident is marked as closed, signaling an end to the entire incident process.
The abovementioned steps could be applied to address and mitigate future issues in relation to SolDistHR. The process would ensure quick incident resolution, enhanced incident/problem knowledge management, optimized service availability.
Alshubaily, N. F., & Altameem, A. A. (2017). The Role of Strategic Information Systems (SIS) in Supporting and Achieving the Competitive Advantages (CA): An Empirical Study on Saudi Banking Sector. International Journal of Advanced Computer Science and Applications, 8(7), 128-139.
BMC Software. (2016a). ITIL Incident Management: Best Practices & Process Flow. Retrieved from http://www.bmc.com/guides/itil-incident-management.html
BMC Software. (2016b). ITIL Problem Management: Best Practices & Processes Flow. Retrieved from http://www.bmc.com/guides/itil-problem-management.html
Brocke, J. V., & Rosemann, M. (2014). Handbook on Business Process Management 2: Strategic Alignment, Governance, People and Culture. Springer Publishing Company, Incorporated.
Clarke, N., Tryfonas, T., & Dodge, R. (2012). Proceedings of the Seventh International Workshop on Digital Forensics and Incident Analysis (WDFIA 2012). Lulu. com.
DSDM Consortium. (2008). DSDM Atern: The Handbook. Atern.
Francino, Y. (2010). What does “change management” mean in software development and QA? Retrieved from https://searchsoftwarequality.techtarget.com/answer/What-does-change-management-mean-in-software-development-and-QA
Kerzner, H., & Kerzner, H. R. (2017). Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.
Mohammed, A., & Hu, W. (2015). Using Management Information Systems (MIS) to Boost Corporate Performance. International Journal of Management Science and Business Administration, 1(11), 55-61.
Moran, A. (2015). Managing Agile: Strategy, Implementation, Organization and People. Springer.
Palmer, N. (2014). What is BPM? Retrieved from https://bpm.com/what-is-bpm
Rao, K. N., Naidu, G. K., & Chakka, P. (2011). A study of the Agile software development methods, applicability and implications in industry. International Journal of Software Engineering and its applications, 5(2), 35-45.
Schiesser, R. (2002). IT Systems Management. Prentice Hall.
Schultz, E. (2001). The worse of two evils — Internal vs. external security threats. Retrieved from https://searchsecurity.techtarget.com/tip/The-worse-of-two-evils-Internal-vs-external-security-threats
Takanen, A., Demott, J. D., & Miller, C. (2008). Fuzzing for software security testing and quality assurance. Artech House.
Wang, J. (2013). Optimizing, Innovating, and Capitalizing on Information Systems for Operations. IGI Global.
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95.
Whittle, S. (2008, March 10). The top five internal security threats. ZDNet. Retrieved from https://www.zdnet.com/article/the-top-five-internal-security-threats