Marketing Plan for Apple Inc

Marketing Plan for Apple Inc

Background on Apple Inc.

Apple Inc. formerly Apple Computer Inc. is a multinational corporation that creates consumer electronics, personal computers, servers, computer software and is also a digital distributor of media content. It also has a chain of retail stores known as Apple Stores. Founders of Apple Inc. are Steve Jobs and Steve Wozniak who created Apple computer on April 1, 1976 and incorporated the company on January 3, 1977 in Cupertino, California. For more than 30 years ago, Apple computer dominated as the manufacturer of personal computers including the Apple II. Macintosh and power mac lines but it faced low sales and low market share during the 1990s. With the introduction of the successful iPod music player in 2001, iTunes Music Store in 2003 and the release of a video iPod the fifth generation of the device, Apple established itself as a leader in the consumer electronics and media sales industries, forcing it to drop the name Computer from the company’s name in 2007. The company is now known for the manufacture of the IOS range of smartphones. As at 30 June 2015, Apple was the largest publicly traded corporation in the world by the market capitalization. Apple is not all about the computer brand it goes way beyond that by creating brands that target a wider audience by innovating interactive brands that make life easier, fun and much more cool. Apple Inc. uses the Apple brand to compete across all the other platforms in the competitive market. Apple’s products;

These Apple products are available in the market and shows the firms variety in the marketing mix. However, as part of its product development intensive growth strategy, the company continues to develop new products such as the Apple electric vehicle, which is under development through collaboration with firms like Tesla Motors. This product mix shows that Apple’s marketing mix is widespread in terms of product variety to address customer’s needs in different areas of their lives. Apple’s marketing mix involves a favorable approach to distribution, maximizing on the different distribution channels. The company uses selective distribution ensuring control over its brands in the marketing mix. Such are the places included in the Apple’s distribution strategy;

Apple store, online apple store and app store are the most widely used and preferred stations that sell Apple’s products, however they have also partnered with companies like the telecom companies and fulfillment stores through which third parties sell these products online thus making it thorough in the use of online and non-online platforms.

Strategic focus and plan

Apple’s mission statement

It states that “Apple designs Macs, the best personal computers in the world, along with OS X, iLife, iWork and professional software. Apple leads the digital music revolution with its iPods and iTunes online store. Apple has reinvented the mobile phone with its revolutionary iPhone and App store, and is defining the future of mobile media and computing devices with iPad”.

Apple’s vision statement

Apple’s current vision statement was introduced by CEO Tim Cook, who stated;

“We believe that we are the face of the earth to make great products and that is not changing. We are constantly focusing on innovating. We believe in the simple not the complex. We believe that we need to own and control the primary technologies behind the products that we make, and participate only in markets where we can make a significant contribution. We believe to saying no to the thousands of projects, so that we can really focus on the few that are truly important and meaningful to us. We believe in deep collaboration and cross-pollination of our groups, which allow us to innovate in a way that others cannot. And frankly, we don’t settle for anything less than excellence in every group in the company, and we have the self-honesty to admit when we’re wrong and the courage to change. And I think regardless of who is in what job those values are so embedded in this company that Apple will do extremely well.”

Apple’s goal

Apple’s senior vice president of industrial design Jonathan Ive believes that Apple’s goal is not to make money but to make good products. Ive said, “We are really pleased with our revenues but our goal isn’t to make money. It sounds a little flippant, but it’s the truth. Our goal and what makes us excited is to make great products. If we are successful people will like them and if we are operationally competent, we will make money. Really great design is hard. Good is the enemy of great. Competent design is not too much of a stretch. But if you are trying to do something new, you have challenges on so many axes.”

Apple’s core competencies

According to (Basu and Wright, 2008) the production of music, video, movie and electronic records helped Apple to gain valuable brand recognition as in 2008 it was recognized as 24th most valuable brand. Its core competencies are its innovative designs and technology based on software. Apple’s core competencies are sturdy and very hard to duplicate and therefore giving it a competitive edge over its competitors. The company has a closed registered trademark ensuring that there is no evasion of its skills and its secret recipe. Apple is also very consistent in its product portfolio development.

Apple Inc. SWOT Analysis and recommendations

Apple Inc. current success is linked to the ability of the company to use its strengths to overcome weaknesses and to maximize opportunities. According to (www.panmore.com) webpage SWOT Analysis also shows the most significant matters that Apple must address. It also highlights the company’s strengths to enable it improve its position and financial performance and weaknesses and threats that need to be addresses through innovative strategies.

Apples strength’s

This plan recognizes the greatest strengths that help the company tolerate threats in its business environment. These threats reduce business performance and the most striking Apple’s Inc. strengths are;

  1. Strong brand image
  2. High profit margins
  3. Effective innovative process

Apple is one of the most important and strongest brands in the world.

This part of SWOT analysis shows that a company can introduce new products that can profit the company simply because of its strong image brand. It has a steady premium pricing strategy which shows good profit margins and this is a very important strength for it makes it easy for the firm to adjust prices while ensuring significant profits. It is also known for its fast innovations based on the company’s intensive growth strategies. Fast innovation enables the firm to be knowledgeable with the latest technologies to keep a competitive edge. In line with this SWOT analysis it is almost impossible to challenge the firm’s continued leadership in the industry.

Apple’s Weaknesses

In this aspect of Apple’s SWOT analysis, the emphasis is on the inadequacies of the company. Weaknesses can serve as obstacles to business growth. In Apple’s case, the following organizational weaknesses are the most notable:

1. Limited distribution network

2. High selling prices

3. Sales limited mainly to high-end market

Apple has a limited distribution network because of the company’s policy of exclusivity. For example, the company carefully selects authorized sellers of its products. This part of Apple’s SWOT analysis shows that such an exclusive strategy supports control over the distribution of products, but limits the company’s market reach. In addition, because of the premium pricing strategy, Apple has the weakness of having most of its sales revenues from the high-end market Yoo et al., (2010). This market is composed of customers from the middle and upper classes. Customers from the lower class, which represents the majority of buyers in the global market, are unable to purchase Apple products because of the relatively high prices. Thus, based on this dimension of Apple’s SWOT analysis, the company’s pricing and distribution strategies impose limitations in the business.

Opportunities for Apple Inc.

This aspect of Apple’s SWOT analysis clearly shows the most significant opportunities that the company can exploit. Opportunities influence the strategic direction of business organizations. In Apple’s case, the following are the most significant opportunities in its business environment:

  1. Distribution network expansion
  2. Rising demand for tablets and smartphones
  3. Creation of new product lines
  4. Introduction of antivirus

Apple has the opportunity to expand its distribution network. In regards to (research-methodology.net) such opportunity directly relates to the weakness of the restricted distribution network of the company. This part of Apple’s SWOT analysis emphasizes the need for the company to change its distribution strategy. By expanding distribution network this will help the firm reach more customers in the global market. Also, Apple has the opportunity to explore new product lines. Apple’s current product lines are highly successful. Through further innovation, Apple can introduce new product lines, like what the firm has already done with the Apple Watch. Developing new product lines can support the company’s growth. Introduction of antivirus will reduce virus on the computers which affects the position of the company, therefore this dimension of Apple’s SWOT analysis indicates that the company has major opportunities for further growth despite aggressive competition.

Threats Facing Apple Inc.

In this aspect of Apple’s SWOT analysis, the focus is on the threats from various competitors. Threats can reduce the financial performance of companies Leigh, D., & Pershing, A. J. (2006). In Apple’s case, the following threats are the most significant:

1. Aggressive competition

2. Imitation

3. Rising labor cost in countries where Apple plants are located

Tough competition in the industry is partly because of the threatening of firms. Apple competes with firms like Samsung, Toshiba and Sony which also uses rapid innovation. This part of Apple’s SWOT analysis highlights the limiting effect of aggressive competition. In addition, Apple faces the threat of imitation or copying. Additionally, rising labor costs in Apple plants, for example in China, can reduce profit margins or push selling prices even higher. Thus, Apple must take appropriate action to overcome these threats.

Recommendations Based on Apple’s SWOT Analysis

Apple’s SWOT analysis indicates that the company possesses major strengths Annual report, (2014). The company can use their strong brand image and rapid innovation processes to successfully develop and launch new product lines. However, the firm faces significant threats of high competition and imitation, which highly affect the industry.

Apple Inc. Objectives and Strategies

When a company has established its marketing mix and began to understand its plan for the 4 P’s: product, place, price, and promotion. It must then incorporate objectives and strategies for what the company aims to do and how it will reach its goals.

Product

Apple offers premium products at premium prices while still maintaining large market share and high profit margins.

Objective 1– Continue creating groundbreaking products

Strategy– Apple will need to have a great team building culture along with a strong research and development team and have to operate with no satisfaction and avoid success limitations.

Objective 2– Innovate and dictate the movement for future technology

Strategy– To continue success of having the best products and listening to customer feedback

Place

You can find an Apple product in most areas of the world and that is certainly the overall goal for global business.

Objective 1– Expand chain of Apple stores globally

Strategy– Begin placing stores in all large markets and expand outward based on population and demand of products

Objective 2– Make products available in every other possible retail outlet example online retailer

Strategy– Place products in every retail store that carries electronic devices, all e-commerce web sites, and make sure mobile devices are featured on every large mobile carrier.

Price

With every Premium Branded product there will come a premium price. According to Yoo et el. (2010): it is expected that ‘big name brands’ that present superior quality bring the highest price.

Objective 1– Enter and sustain premium pricing while attempting to gain market share.

Strategy-Strategically price all products at the top of the market base price relying on brand and quality to offset the price differential.

Objective 2– Increase profit margins.

Strategy– Continue pushing to lower cost of production while sustaining the same retail price in the market

Promotion

According to Building a brand and making it successful is the toughest challenge in a business. Success like this is not built without excellent marketing and promotion strategies.

Objective 1– Build hype and anticipation for new upcoming products.

Strategy– Use annual conference and events to announce release of new product for this allows the consumer to build a demand for the product before it ever hits the shelf.

Objective 2– Sustain and expand on strongly branded name.

Strategy– Be a trend setter and let the others follow.

If they continue to set trends, enter new product lines and take their share of the market they will dominate the competition.

References

Bernroider, E. (2002). Factors in SWOT Analysis Applied to Micro, Small-to-Medium, and Large Software Enterprises: an Austrian Study. European management journal, 20 (5), 562-573.

Helms, M. M., & Nixon, J. (2010). Exploring SWOT analysis-where are we now? A review of academic research from the last decade. Journal of Strategy and Management, 3 (3), 215-251.

Heracleous, L. (2013). Quantum Strategy at Apple Inc. Organizational Dynamics, 42 (2), 92-99.

Hill, T., & Westbrook, R. (1997). SWOT analysis: it’s time for a product recall. Long range planning, 30 (1), 46-52.

Leigh, D., & Pershing, A. J. (2006). SWOT analysis. The Handbook of Human Performance Technology, 1089-1108.

IT Project Management

IT Project Management: Scope Management Plan

Planning

The project scope management plan identifies and documents specific requirements that the necessary IT solution must address to take Phill’s business to the next level of growth. From gathered requirements, a project scope, detailing the specific features of the required solution was defined. The project scope provides the basis for the work breakdown structure which outlines the necessary tasks that must be executed to achieve the intention of the project. Expert judgment was used to obtain information from Phill and other knowledgeable parties, including current employees. Furthermore, the project manager held meetings with selected team members, the client and stakeholders to precisely identify the project requirements that are used to derive the project scope. The planning phase provides a scope management framework that describes the process of scope definition, monitoring, control and verification. In particular, the scope management plan especially outlines several processes, including for preparing the scope statement, deriving work breakdown structure from the scope statement, maintaining the WBS, formally accepting the project deliverables and handling scope changes. Furthermore, the scope management planning phase delivers a requirements management plan documenting the process of requirement analysis, documentation and continuous management throughout the project. The requirement management plan, among other components, highlights how requirement planning, tracking and reporting was  performed, the process of managing the configuration for handling requirement changes, prioritization of requirements, product metrics, and the requirement traceability structure. Therefore, the planning stage was used to outline a framework for the rest of the scope management plan components that will ensure successful design, coding, testing, implementation and maintenance of an ERP integrated e-commerce platform.

Scope Management Approach

The project manager will bear the entire responsibility of managing the project scope as defined by WBS and the Scope Statement. Nevertheless, the project Sponsor, manager and stakeholders will identify and approve project scope measurement documentation, including work performance measurements and deliverable quality checklists. Furthermore, the project manager, stakeholders or any other team member may initiate proposed scope changes. After evaluating and validating a scope change request, the project manager will present it to the Sponsor for formal acceptance or approval. If the Sponsor approves the scope change requests, the project manager will accordingly communicate the changes to stakeholders and update project documents. Therefore, while considering the project manager and Stakeholders’ feedback, the Sponsor will be responsible for the formal acceptance of the final project scope and deliverables.

Roles and Responsibility

The Sponsor (Phil), manager and team will play an immense role in the management; hence must understand their particular responsibilities to ensure that executed tasks fall within the established scope. Figure 1 below defines specific roles and responsibilities for the key project stakeholders.

Figure 1: Roles and responsibilities for key categories of stakeholders

Project Scope Definition

The project management team focused on enterprise environmental factors, including organizational culture, available resources, market conditions and personnel administration, and organizational process assets, such as procedure and policies, and historical information and learnt lessons as defined in the case study report. From such information, the team formulated relevant documentation, including the requirement management plan; especially outlining what the new IT solution should address (Sanghera, 2019). Furthermore, input from relevant experts and the requirement gathering process formed an essential foundation for project description and deliverables. In particular, project judgment offered essential feedback on the least risky techniques that can be used to strategically influence growth at Phill’s Photos without affecting the organization’s culture.

Scope Statement

This project entails the design, implementation, verification and maintenance of an IT solution that can take Phill’s business to another level of growth, especially by enhancing supply chain management. In particular, Phill’s Photos needs a multi-warehouse multi-channel supply chain network to ensure that the company can access an expanded customer base and outsource resources, such as labor and printing services from the global market. The project deliverables include an ERP (enterprise resource planning) integrated e-commerce website that will enhance order tracking in the supply chain. Because of the current resource limitations, Phill’s photos should focus on implementing an ERP solution involving the current warehouse and vendor stores as not only warehouses but market outlets along with the e-commerce website. In this regard, vendors will be able to download, print and frame Phil’s art, as well as facilitate shipping to online customers within their specific local market. Thus, the company will experience a significant upsurge in profits, especially from increased sales and commissions, as well as reduced shipping costs.

Nevertheless, the complete solution will have to be highly flexible to accommodate future modifications and expansions, especially including additional warehouses, online marketing, tracking shipments, and outsourcing of labor. The solution is expected to assist the company meet increased product demand, and considerably reduce costs, especially from enhanced shipments and cheap oversea printing prices. Therefore, the project will be accepted after testing reveals that the new solutions will be able to support interactions with the critical set of stakeholders, including the company, vendors and customers.  In particular, the solution will have to be compatible with both the current Phill’s Photos and vendors’ IT systems. However, ongoing IT system operations and maintenances do not fall within the project scope. Moreover, the project management team will consist of the project manager, four-team leads and team members sourced from the Phill’s photos and vendors’ IT departments. Assumptions are that Phill’s Photos and vendors will provide necessary support and adequate internal resources that will facilitate the successful completion of the project.

Work Breakdown Structure

The project management team will subdivide the work needed to complete this project into specific task packages that will be executed within defined time durations. In this regard, while the project team will be working on individual tasks, the project manager will be able to effectively manage the scope of the project. In particular, the project is subdivided into four stages; the design phase; coding phase; testing phase; deployment and maintenance phase. Nevertheless, because the project development will shift to the agile approach, the coding, testing, deployment and maintenance phases are not specifically defined for the entire project but will be incrementally throughout the project lifecycle as shown in appendix 1.

Scope verification

The project manager will be responsible for the verification of project deliverables against the initial scope as expressed in the scope statement and the Work Breakdown Structure. After confirming that the scope is in line with the requirements as articulated in the project plan, the project manager and the customer/sponsor will hold a meeting in which the deliverable will be formally accepted. The Sponsor will be required to sign an acceptance document, hence indicating the official acceptance of the deliverable. Therefore, the project work is expected to consistently remain within the predefined scope throughout the project lifecycle.

Scope Control

The project manager and the team will work in harmony to ensure that development activities are within the scope of the project. In particular, the project management team will execute tasks and generate deliverables as illustrated on the WBS. The project manager will supervise the team and the progress of the project to ensure that the process of scope control is observed. Nevertheless, changes to the scope of the project may be adopted upon undergoing the necessary process. Change requests will have to be captured in a change request document which will be submitted to the project manager. After reviewing the change request, the manager will either deny it, especially if it is not in line with the motive of the project or hold a meeting between the sponsor and the team to conduct further review and assess the anticipated impacts. If the change request is approved, the sponsor will accept it by signing the change control document.  The sponsor and the manager will then update all relevant documents and communicate the scope alterations to stakeholders and team members.

References

Sanghera, P. (2019). Project Scope Management. In CAPM® in Depth (pp. 135-171). Apress, Berkeley, CA.

Appendices

Appendix 1: The Work Breakdown Structure

Information Technology Risk Assessment

Information Technology Risk Assessment

Corporate Office Network Topology Evaluation

            An Enterprise topology, including software, people and processes to standardize, integrate and interoperate policies, and is developed for huge production company networks with a high number of users. Because of the high number of operational responsibilities, as well as connections, software deployment and authentication, among other network processes, enterprise network security architecture include an immense level of detail. According to njogu, enterprise systems must effectively and efficiently handle the workload balance to circumvent complete network lag or downtimes. In this regard, identification and authentication management is immensely important to ensure controlled access to the organizational resources. Organizations should emphasize a central strategy of user account management of user account, as well as administrator privilege consistency. Moreover, network integration, encryption and authentication protocols flexibility tremendously enhances software harmonization and network management. 

            To the network administrators, a central approach to software management significantly enhances remote software loading and swift response to user demands. According to njogu, information system solutions must focus on the entire spectrum of organization’s demands in a standardized way, as well as map to the business requirements. The enterprise network must support the organizational demands including non-technical issues, such as industry regulations and laws related to the specific nature of the company business.

The Perimeter Protection

            The organization should implement a Demilitarized Zone, also referred to as a DMZ, including PBX, distribution and border routers, and RAS, to enhance the security of the organization-wide network systems from external environment attacks. Moreover, the organization should deploy a dual firewall between the remote-access server and the distribution routers to filter traffic from the internet to the company network through the demilitarized zone. The firewall will regularly monitor and deny access to the DMZ zone, hence to the company network, for all authorized traffic. A firewall configuration should be deployed to monitor and stop unusually long TCP sessions, which are probably covert channels to extricate company resources through the firewall. A reverse proxy must be integrated in Juxtaposition with the DMZ firewall to reduce the associated webserver’s workload. Moreover, the DMZ host address should be configured on the routers, including end-to-end point security and IDS (intrusion detection system) sensors and a system for intrusion prevention. The routers must be able to perform ingress and egress filtering as well. Furthermore, it is immensely important to include packet sniffers in the demilitarized zone to prevent HTTP, FTP and SMTP from bypassing the proxy server. Apart from the DMZ, the wireless network, which provides the link between the company network and remote users within and near the organization premises through the internet, should possess a secure access credentials, including strong password and username. Broadcasts should include WPA2 or 802.1-related authentication and encryption without the SSID (the station ID). Because some of the cyber-attack mechanisms are highly persistent, hence will always compromise the implemented cyber-security systems, the information technology personnel should regularly perform vulnerability scans and penetration tests to identify weaknesses in the deployed configurations.

            The organization should immensely emphasize perimeter protection activities, especially to enhance communication integrity, confidentiality and support network available to reduce downtimes. According to njogu, the network perimeter is a mission critical region, because it considerably determines the vulnerability of IT assets, hence if compromised can lead to immense losses to the organization. Thus, the organization should conduct frequent employee training to improve their understanding on social engineering technique, hence improving their ability to appropriately respond to information security breaches, especially through the external and internal access points on the firewall. Therefore, AFI should identify and monitor, as well as align all external and internal network access points, with a comprehensive defense mechanism, to ensure improved information security.

Network Access Points

            AFI’s WAN has numerous internal and external access points to support communication within the organization as well offer internet connection and connect the remote users to the company network. External network access points include two border routers, which connect a remote office with a virtual private network tunnel and routes the network outbound traffic. Moreover, the network infrastructure includes a PBX exchange system to enhance dial-in user connections. The wireless antenna, which is offers a direct connection to the internal switches and sequentially the departmental subnets, hence the source of immense vulnerability, is another external network access point. On the other hand, network access point internal to the perimeter protection include six layered VLAN switches segmenting the WAN into individual department subnets, a remote access server and two distribution routers. Because of increased vulnerability, especially from the wireless antenna and remote access, hence immense mobility and exposure, there is a need to conduct a comprehensive network protocol analysis and evaluation to establish the required security mechanisms to prevent information security incidents.

The Remote Access Protocols

            Protocols are particularly designed to enhance remote access to the network and resources. A remote access server acts as the internal network gateway, hence linking the remote users to the internal network. In this regard, the server requires effective and efficient dial-up authentication protocols to enhance network security. Extensible authentication regards mutually performed validation between the authenticator like the RADIUS server and the remote access client. The mutual validation process begins with the authenticator sending an authentication request, including a PIN and name, to the remote access client. The client must provide a valid response to the query to be granted access by the authenticator. Extensible Authentication Protocol provides an EAP-TLS subtype standard, which is an immensely strong protocol that protects the network even if the passwords are compromised, because the hacker must possess a certificate from the client side to bypass the EAP-TLS subtype protocol.

            The point-to-point protocol, which supports Apple Talk, IPX/SPX and TCP/IP, among numerous LAN protocols, provides the best client and server encryption. On the other hand, the SLIP (), is a considerably old technology which can be utilized as a client in Windows 2000 or Windows NT, but, it does not support the configuration of a dynamic host protocol. In this the protocol is not a good choice for AFI Network protocol which includes immense mobility. PAP, password authentication protocol, is another server-side protocol which implements a plain text password without any encryption, hence can easily be bypassed. Moreover, the Shiva protocol which authenticates a password through encryption is extremely weak, hence cannot meet the cyber-security demands for AFI. Furthermore, the CHAP, challenge handshake authentication protocol which decrypts and stores password on the remote access server in a plaintext format is no longer the best selection for AFI, because the decrypted password easily be used to cause immense security compromise if retrieved by hackers and attackers.

            One of the best authentication protocols that AFI can consider implementing is the MS-CHAP v2, which is the revised version of the CHAP protocol. The MS-CHAP v2 stores an encrypted version of passwords and demands mutual authentication between the client and the authenticator, by implementing a wide range of keys. Microsoft Point-to-point Encryption, the MS-CHAP v1 or v2, or the EAP-TLS must be used for dial-up authentication. However, although the MS CHAP v2 is relatively a good protocol, it only applies to Microsoft protocols for communication authentication, while compatible, but secure protocols for remote encryption and authentication offers an external security layer. For the virtual private network, different categories of protocols are used to provide secure communication. A combination of the EAP-TLS, L2TP and IPsec offers the necessary security for private secure communications.

Network Security

            Large network management includes the use of numerous safeguards, with a high number of security features necessary for the AFI Wide Area Network. One of the products that can immensely enhance the network security for AFI is the Symantec Endpoint Protection, which is highly scalable and grows with the demands of an expanding network and includes numerous network security features. Apart from the scalability and elasticity, the Symantec Endpoint protection offers a five layered protection, including repair, behaviour, reputation, network and file layers. Moreover, the network security product includes an intrusion detection and protection element, which significantly reduces the malware attack threat and node browser protection. Furthermore, the security tool performs endpoints scan to eliminate worms, rootkits, bots, viruses and malware. Thus, with a Symantec product, which offers an extremely wide array of network protection, AFI will be able to significantly reduce the probability of cyber-attacks. 

            The Symantec product comprehensiveness protection which offers substantial flexibility through scalability and policy enforcement immensely boosts the organization performance. Some of the strengths of the tool include a significant reduction in the system downtime and operating cost, as well increases productivity, by performing the necessary scan and a comprehensive display of its features on a central dashboard. Moreover, the tool has a robust awareness feature, which involves the use of an automated technique of locating any system, including virtual private networks and Wi-Fi, attempting to connect to initiate a communication. Because endpoint protection involves intrusion detection and prevention, as well, deployment of the Symantec product demands the installation of an intrusion detection and prevention system as well.  

From the above analysis, the AFI information systems assets can be mapped to the business objectives as shown in Table 1 below.

AssetMission
Oracle Database serverIt is the most essential asset for AFI: supports bulk data processing
SUS serverEssential for patches and systems updates
Print and File serverStores consumer data and company’s confidential records.
Internal Distributed Network ServerImportant for internal sharing of resources among subnets
Intranet WebserverEnhances sharing of resources and communication among servers
Email serveroffers communication, stores conversations for the purpose of referencing, shared calendar for assignment
TCB workstationsDisplays a server interface on the internal TCB network
Cisco 3750 switchesThere is one switch for each department which introduces a single failure point for every department
Departmental workstationsOffers a data interface
Distribution routersAggregates product and marketing traffic and routes offsite traffic
VPN GatewayOffers secure connection between the TCB network and the remote
RAS (Remote Access Server)Enables workers to connect to the company network from the outside. Although it provides secure connection, it is not a highly critical Asset.
Private Branch ExchangeEnables workers to dial-in to the company Wide area network from hotels, airports and homes
Border RoutersOffers connectivity and routes inbound traffic
Router & Wireless AntennaEnables wireless internet and network connectivity. It is among the most vulnerable access point, but the least critical

Table 1: A mapping of the AFI information system assets and the business objective

Network Inventory

Table 2 below illustrates an inventory of the AFI network assets

Asset TypeDevice IdO/S LevelCPU, Mem, Disk, DisplaySupport VendorModelInstall dateLocFlr
Oracle DB ServerS001Windows 2008R21.4GHz (x64 processor) or Intel Itanium 2 processor, 512 MB RAM, 10GB, Super VGA or greater-resolution monitor (800×600)MicrosoftLenovo System x3650 M51/02/2017Computing Base1st
Email ServerS002Windows 2008R21.4GHz (x64 processor) or Intel Itanium 2 processor, 512 MB RAM, 10GB, Super VGA or greater-resolution monitor (800×600)MicrosoftLenovo System x3650 M51/02/2017Computing Base1st
File & print ServerS003Windows 2008R21.4GHz (x64 processor) or Intel Itanium 2 processor, 512 MB RAM, 10GB, Super VGA or greater-resolution monitor (800×600)LenovoLenovo System x3650 M51/02/2017Computing Base1st
Web ServerS004Windows 2012 serverProcessor: Minimum: 1.4 GHz 64-bit Processor.RAM: Minimum: 512 MB.Disk Space: Minimum: 32 GB, Super VGA (800×600) monitor  LenovoLenovo System x3650 M51/02/2017Computing Base1st
SuS ServerS005Windows 2012 serverProcessor: Minimum: 1.4 GHz 64-bit Processor.RAM: Minimum: 512 MB.Disk Space: Minimum: 32 GB  LenovoLenovo System x3650 M5 Computing Base1st
RAS serverS006Windows 2008R21.4GHz (x64 processor) or Intel Itanium 2 processor, 512 MB RAM, 10GB, Super VGA or greater-resolution monitor (800×600)LenovoLenovo System x3650 M5   
Private Branch ExchangeT001  VerizonVerizon Business’s managed IP PBX   
Distribution Router 1R001Cisco IOS Software Release   12.2(31)SB4, 12.4XD7, and 12.4PI61.67-GHz Motorola Freescale 7448 processor,, 1 GB default (2 GB maximum) 64 GBCiscoCisco 7201   
Distribution Router 2R002 1.67-GHz Motorola Freescale 7448 processor,, 1 GB default (2 GB maximum) 64 GBCiscoCisco 7201   
Multi-layered Switch 1M001  CiscoNexus switch    
Multi-layered Switch 2M002  Cisco Catalyst 3750 series   
Multi-layered Switch 3M003  CiscoCatalyst 3750 series   
Multi-layered Switch 5M004  Cisco Catalyst 3750 series   
Multi-layered Switch 6M006  Cisco Catalyst 3750 series   
FirewallF01       
FirewallF01       
Laptop        
DesktopD0001Microsoft Windows 20101.4GHz (x64 processor, 2MB, 520MBHPHP   
DesktopD0002Microsoft Windows 20101.4GHz (x64 processor, 2MB, 520GBHPHP   
DesktopD0003Microsoft Windows 20101.4GHz (x64 processor, 2MB, 520GBHPHP   
DesktopD0004Microsoft Windows 20101.4GHz (x64 processor, 2MB, 520GBHPHP   

Table 2: Asset Inventory for AFI’s Network equipment

Risk Assessment and Management

The risk impact is the product of potential impact and the probability of occurrence.

Risk Impact = Occurrence probability*Potential Risk

Potential Risk

            Potential risk can be any category of conceivable risks for an enterprise or any possible action-attributed risk. The risk refers to threat or damage that may transpire on business operations. After undertaking an operation within a specific realm and particular market, a business encounters probable risk. The potential is calculated without immense focus on details of individual risks at as reduced cost as possible. Risk potential is establishing by calculating the product of the value of total asset, vulnerability severity and the threat severity.  

Potential Risk = Total Asset Value * Severity of Vulnerability * Severity of Threat

Risk Occurrence Probability

            The probability of risk occurrence involves the estimation of the frequency in which an information security event transpires. In this regard, it is necessary to conduct a comprehensive review of the historic events to determine the likelihood of an incident occurrence. Each information security incidence is rated as shown in figure 1 below. 

Figure 1: A framework for asset value measurement based on the CIA

From the AFI case study assets can be rated as shown below in Table 3.

AssetSecurity objectiveLow (1) Medium (2)High (3)
Oracle Database serverConfidentiality  3
Integrity  3
Availability  3
SUS serverConfidentiality  3
Integrity  3
Availability 2 
Print and File serverConfidentiality  3
Integrity  3
Availability1  
Internal Distributed Network ServerConfidentiality 2 
Integrity 2 
Availability  3
Intranet WebserverConfidentiality 2 
Integrity 2 
Availability 2 
Email serverConfidentiality 2 
Integrity1  
Availability1  
TCB workstationsConfidentiality 2 
Integrity 2 
Availability1  
Cisco 3750 switchesConfidentiality 2 
Integrity1  
Availability  3
Departmental workstationsConfidentiality 2 
Integrity  3
Availability 2 
Distribution routersConfidentiality  3
Integrity   
Availability 2 
VPN GatewayConfidentiality 2 
Integrity 2 
Availability1  
RAS (Remote Access Server)Confidentiality 2 
Integrity 2 
Availability1  
Private Branch ExchangeConfidentiality 2 
Integrity1  
Availability1  
Border RoutersConfidentiality  3
Integrity  3
Availability  3
Router & Wireless AntennaConfidentiality  3
Integrity 1 
Availability1  

Asset Valuation

Asset valuation is a technique of assessing the value of the company’s information system assets with regard to the CIA matrix and several assumptions. The total value of an asset is established by evaluating the product between Asset value and Asset weight as expressed below.

Total Asset Value = Asset Value * Weight of Asset

Assumptions

  1. The asset value depends on the sensitivity of data it contains and their probability to affect the CIA.
  2. The CIA value levels are as follows: 1 is low, 2 is medium and 3 is high.
  3. Information asset value is established by the sum of C+I+A.

Using the framework, an asset value matrix can be established as shown in figure 2 below.

Figure 2: the CIA matrix

From the case study analysis the value matrix for AFI assets can be expressed as below

AssetSecurity objectiveLow (1) Medium (2)High (3)
Oracle Database serverConfidentiality   
 IntegrityLMHLMHLMH
AvailabilityLow (1)003003333
Medium (2)003003036
High (3)336336069
SUS server IntegrityLMHLMHLMH
AvailabilityLow (1)003003333
Medium (2)225225555
High (3)003030336
Print and File server IntegrityLMHLMHLMH
AvailabilityLow (1)114114444
Medium (2)003003336
High (3)033333336
Internal Distributed Network Server IntegrityLMHLMHLMH
AvailabilityLow (1)0200020353
Medium (2)242242575
High (3)020020353
Intranet WebserverAvailabilityIntegrityLMHLMHLMH
Low (1)020020353
Medium (2)242242575
High (3)020020353
Email serverAvailabilityIntegrityLMHLMHLMH
Low (1)131333031
Medium (2)222442222
High (3) 00222020
TCB workstationsConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
Cisco 3750 switchesConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
 Medium (2)222442222
IntegrityHigh (3) 00222020
AvailabilityIntegrityLMHLMHLMH
Departmental workstationsConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
Distribution routersConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
VPN GatewayConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
RAS (Remote Access Server)ConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
Private Branch ExchangeConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
Border RoutersConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020
Router & Wireless AntennaConfidentialityIntegrityLMHLMHLMH
 Low (1)131333031
IntegrityMedium (2)222442222
AvailabilityHigh (3) 00222020

Table 3: The Value Matrix for the AFI information system assets

Asset Weight

            As earlier noted, an asset value is determined by the sensitivity of data it contains. In this regard, it is essential to identify that all similar data containers are not necessarily equally valuable to the organization. For instance, a database containing customer transactions may be more valuable to the organization than one with employee information. Similarly, prominent data may possess increased value compared to the walk-in/ordinary customers with regard to business objectives. Thus, the idea of ‘weighting’ or ‘weight’ was conceived to evaluate asset sensitivity with regard to the value data contains/processes compared to the rest of the assets. Figure 3 illustrates the concept of measuring of the value of an asset with regard to the rest of the assets and the value of data it contains/processes.

Figure 3: Asset Weight Measurement Framework

Therefore, according to the CIA matrix and the weight of an asset model, it is possible to determine the following total asset value using an asset weight matrix table as shown in figure 4.

Figure 4: A matrix for evaluating the total Weight of an Asset

Asset categorization

 At this level, the organization 

At this stage, the organization should categorize assets in three levels based on the total asset value determined in the total asset matrix table. The category of an asset indicates the level of concern that needs to be given to that asset. Therefore, more security implementation, investment or attention would be given to category I assets (value of the total asset between 20 and 27) than to category II assets (between 12 and 18, inclusive, the highlighted amounts in figure 4) and to category III (value of 10 or less) assets. From figure 4, it can be concluded that the total asset 

Vulnerability and Threat Assessment and Rating Methodology

The presence of vulnerability does not in itself cause harm; vulnerability is merely a condition or a set of conditions that could allow assets to be harmed by an attack.11 When a vulnerability is exploited by a threat, it increases the likelihood of attack and leads to risk.12 Vulnerability rating gives an indication or opportunity to see the weakness inherent or residing in the information assets of the organization.

Vulnerability and threat valuation assumptions include:

  • The same 1 to 3 rating scale will be used, in which a specific vulnerability or threat rated as high is assigned a 3, medium a 2 and low a 1 (figure 5).
  • The severity of the threat and the vulnerability is graded as very low (1), low (2), medium (3), high (4) and very high (5) (figure 6).

Figure 5: Exposure and susceptibility rating Paradigm

Figure 6: Vulnerability severity grading Paradigm

Vulnerability Rating Factors

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.13

Susceptibility is simply to measure the effort required to successfully exploit a given weakness. For example, fire is a threat. Poor fire prevention standards, poorly managed flammable liquids and poor circuit insulation are some of the weaknesses (vulnerabilities) or factors that help the fire threat to happen and cause damage.

Exposure (attacker access to the flow) is the potential exposure to loss, resulting from the occurrence of one or more threat events. It may be disseminated across other system components. Figure 5 depicts a model to rate the susceptibility and exposure of a flow or vulnerability of an asset.

To measure the overall value of the severity of a vulnerability, the combination of the value of susceptibility and exposure rating must first be decided, as shown in figure 7. (Note: This rating table is similarly used for threat factors [impact and capability rating] in the following threat assessment section.)

Figure 7: a vulnerability Rating Framework

Threats Assessment and Rating Methodology

A general list of threats should be compiled, which is then reviewed by those most knowledgeable about the system, organization or industry to identify those threats that apply to the system.14 Each threat is derived from a specific vulnerability, rather than identifying threats generally without considering vulnerability. Measuring the value of a threat depends on the rating value of its impact and capability. Impacts are a forceful consequence or a strong effect of the launch of a threat on the business.

Capability is a measure of a threat agent’s ability (including the level of effort required) to successfully attack an asset by exploiting its vulnerabilities, e.g., the threat agent’s technical ability, knowledge and available material to exploit the vulnerability.

As with vulnerability measurement elements (susceptibility and exposure), rating, capability and impact should also be considered for threat measurement. Figure 8 shows how to use capability and impact for threat ratings.

Figure 8: Threat Impact and capability rating framework

The model for grading the severity of the threat uses impact and capability of the threat, similar to the severity of vulnerability matrix in figure 6 and figure 7. The only difference is susceptibility and exposure for vulnerabilities are replaced with impact and capability for threat.

Risk Impact Measurement

Risk management is the act of determining what threats the organization faces, analyzing the vulnerabilities to assess the threat level and determining how to deal with the risk.15 Security risk management is a strategy of management to reduce the possible risk from an unacceptable to an acceptable level.16 There are four basic strategies for managing risk: transference, acceptance, avoidance and mitigation.17

Risk assessment requires individuals to take charge of the risk management process. Risk assessment is the determination of a quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called a hazard). Quantitative risk assessment requires calculations of two components of risk: the magnitude of the potential risk and the probability that the loss will occur.

Risk Impact = Potential Risk * Probability

Risk Mitigation strategy

The Wireless Network
Risk = Severity x Likelihood

Asset Prioritization Matrix

Quantitative Risk Assessment (QRA)

 
Qualitative Risk Assessment
The Wireless Network
Risk = Severity x Likelihood

The Perimeter Security

Conclusion

From the devices and systems identified in the AFI Corporate Network Topology, conduct a thorough asset inventory, assign monetary values to each asset (quantitative), and assign a priority value for each asset (qualitative) that could be used to determine which assets are most critical for restoral in the event of a catastrophic event or attack.

• Evaluate the perimeter security, make a list of access points internal and external(remote), identify vulnerabilities and make suggestions for improvements to perimeter and network security.

• Evaluate the remote access infrastructure, identify vulnerabilities and suggest security improvements to mitigate risks to remote access.

• Address the COO’s concern over the mobility security and design a secure mobile computing (smart phones, tablets, laptops, etc.) in terms of authentication technologies and dataprotection.

• Identify wireless vulnerabilities and recommend what safeguards, authentication technologies,and network security to protect data should be implemented.

• Evaluate the authentication protocols and methodologies within the wired, wireless, mobility and remote access environments and suggest improvements to secure authentication forAFI.

• Evaluate the web system protocols and vulnerabilities within the Intranet server and suggest secure protocol improvements to improve security for web authentication.

• Design a cloud computing environment for the company with a secure means of data protection at rest, in motion and in process.

• Assess all known vulnerabilities on each asset in this environment and impacts if compromised. • Using the asset inventory and the assigned values (monetary and priority) conduct a quantitative and qualitative risk assessment of the AFI network.

• Recommend risk mitigation procedures commensurate with the asset values from your asset inventory. Feel free to redesign the corporate infrastructure and use any combination of technologies to harden the authentication processes and network securitymeasures.

• Provide an Executive Summary.

• You are welcome to make assumptions for any unknown facts as long as you support your assumptions.

• The Title Page, Table of Contents and References page(s) don’t count in your 15 page minimum!!!

References

Li, S., Bi, F., Chen, W., Miao, X., Liu, J., & Tang, C. (2018). An improved information security risk assessments method for cyber-physical-social computing and networking. IEEE Access6, 10311-10319.

Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), 123-134.

Patil, S., & Wongsurawat, W. (2015). Information technology (IT) outsourcing by business process outsourcing/information technology enabled services (BPO/ITES) firms in India: A strategic gamble. Journal of Enterprise Information Management28(1), 60-76.

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security57, 14-30.

Information System (IS) Development Process

Information System (IS) Development Process

            In the current highly competitive and dynamic market, innovation coupled with user requirements is one of the most used strategies that organizations use to enhance market success. Moreover, employees in different capacities, such as system users, administrators, and organizational managers, significantly influence the success of information strategy within an organization, hence market success. However, many organizations are experiencing a wide range of user-related information security issues which lead to million dollar losses, while others tremendously threaten business continuity; hence significantly derail the achievement of organizational goals and objectives. Some of the factors that significantly increase chances of user-related attacks include change resistance, especially because of unrealistic information systems and inadequate training, which can be substantially improved by adopting the appropriate information system development models and incorporating users in the system development life cycle (SDLC). For instance, while using an iterative and incremental framework of system development, such as agile methodologies, user responses on the initially delivered system installments can be used to improve subsequent deliverables (Safa, Von Solms & Furnell, 2016). Thus, an organization must deploy an integrated approach to information system development and management, including increased user participation to enhance organizational goal achievement, by addressing organizational-wide information management issues.

            In the past one decade, misalignments, between information approaches and business strategies is one of the most cited sources of concerns, especially on matters regarding information assurance (IA) compliance. Previous studies link significant concerns regarding information compliance to information and business strategies misalignments within the internal and external business environment. Particular categories of organizations focus on different strategic objectives to achieve specific organizational goals, such as increased profitability, and compliance with industry-wide standards and regulatory demands. For instance, private hospitals have been found to focus on patient experience improvement strategies to attract an increased number of customers, while public healthcare organizations emphasize industry standards on matters regarding information assurance compliance with regulations set by the government and regulatory agencies, such as HIPAA. Thus, depending on a wide range of factors, such as category and size, organizations are exposed to significant issues, including increased information security risks and system implementation failure, because of adopting a selective approach to information management in pursuit of organizational goals and objectives achievement.

            The process of information system development involves the improvement of the existing information system or the development of a new one to satisfy user demands.

However, previous studies indicate that in many institutions, employees are the weakest link in the protection of information assets, especially because they primarily focus on organizational goals and objectives achievement. In this regard, it is highly essential to involve the user in the system development process, especially to ensure successful system implementation and improved system quality. According to Permana (2015), appropriate involvement of business users in the system development lifecycle can yield an immensely enhanced system, because they can give an increased level of detail regarding system specifications. Therefore, organizations must consider involving all stakeholders in the process of IS development to appropriately align its business and information strategy, hence ensuring market success.  

            In an organization, especially from the corporate sector, consumers are some of the business users that must be incorporated in the development process to ensure successful implementation high-quality systems. One of the techniques that can be used to provide increased consumer participation in the core activities of information system development involves evaluating their attitude towards system change. According to Eichhorn (2014), users can either have a favorable or unfavorable attitude, hence indicating the need to isolate evaluative and attitude measures of the involvement construct. The involvement construct can be used to conduct a dichotomy of low and high involvement commodities with regard to the manner in which consumers synthesize information and make choices on products. Because information system development is primarily focused on introducing significant changes, it is essential to consider user responses to such the intended adjustments. Thus, the project management team must conduct in-depth analyses, including consumer-oriented surveys and pilot testing, to establish their attitudes towards the new components of the information system, hence make the necessary changes.

            The information system client is another category of business users that must be incorporated in the system development lifecycle, especially to improve the understanding of system requirements. User advocacy is one of the most used strategies for involving the client in the system development process. The client lead can act as a salesperson or a vocal advocate for the project and its advantages within the organization. A matched-pair survey conducted by Wang, Chang, Jiang and Klein (2011) while using the user advocacy to identify project performance revealed that extrinsic motivation and user socialization are the primary antecedents to user advocacy. With appropriate integration between the development team and users, it is possible to precisely capture system requirement. Most probably users will share essential information with a project development team which they perceive friendly and decline to participate in initiatives with seemingly hostile teams. Moreover, system users will most likely advocate for projects developed by socially friendly project management teams and maybe attempt to negatively influence their colleagues with regard to unfriendly system developers. Therefore, the project development team must include user socialization initiatives, including seminars and training programs, and provide the necessary motivations, such as rewarding performance of and responding to the issues raised by the users, hence increase their participation in system development. 

             A merger between project management and appropriate system development lifecycle approach can be used to enhance user participation, hence quality and successful integration. An iterative and incremental approach, such as an agile SDLC strategy, to system development combined with appropriate project management techniques can yield immense benefits to the organization as well as to the project management teams. A combination of the project management and SDLC results in enormous mutual benefits for both information system developers and project managers. For instance, an integration of project management and agile approach to SDLC can immensely assist system development teams in understanding user requirements and improving the quality of the delivered product without significantly affecting the schedule and budget (Sanchez & Terlizzi, 2017). Thus, an organization must appropriately integrate project management and SDLC to ensure the delivery of high-quality information system that can be deployed without significant challenges.

            While project management regards techniques, such as user participation, that ensure delivery of the product within a specified schedule and on budget, the agile approach emphasizes system requirement formulation within a reduced duration of time. Moreover, the agile SDLC provides a specific outline that project managers can use to identify the necessary project management techniques that can immensely enhance the completion of the project within time and schedule, by enabling appropriate planning (Permana, 2015). Thus, agile SDLC can immensely support timely goal achievement, while project management can ensure proper management of resources, such time and money.

            An integrated approach to system development can yield information systems that immensely enhance the achievement of organizational goals because it immensely influences information management. An organization includes a wide range of users spread across the business environment; hence it is necessary to conduct in-depth analysis to identify specific categories of approaches that can be used to enhance participation of all stakeholders in the information system development process. Some of the techniques that can be used to ensure appropriate user participation include a dichotomy of consumer involvement with information system products to improve acceptance, hence project implementation. Moreover, user advocacy can be enhanced through socialization and extrinsic motivation to significantly improve system quality and user participation. However, user advocacy and user attitude-based techniques focus on specific categories of business users, such as consumers and employee, hence when used deployed in isolation cannot appropriately support information system development, because organizations include a wide range of users distributed in the internal and external business environment. Integrated system developments approaches, such as the merger between SDLC and project management efforts, yields a combination of both techniques’ strengths, hence immensely improves information system quality and performance, especially by addressing user requirements across the entire organizational environment. Therefore, organizations must focus on implementing integrated methods of IS development to ensure high-quality information systems that can be implemented across the entire business environment with a significantly reduced number of challenges.

References

Eichhorn, B. R. (2014). The impact of user involvement on information system projects.

Permana, P. A. G. (2015). Scrum method implementation in a software development project management. International Journal of Advanced Computer Science and Applications6(9), 198-204.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security56, 70-82.

Sanchez, O. P., & Terlizzi, M. A. (2017). Cost and time project management success factors for information systems development projects. International Journal of Project Management35(8), 1608-1626.

Wang, E. T., Chang, J. Y., Jiang, J. Y. J., & Klein, G. (2011). User advocacy and information system project performance. International Journal of Project Management29(2), 146-154.