Operations and Systems Planning Project: Design a Strategic Plan
Cara Nguyen
IT-482-H7318
Southern New Hampshire University
Synopsis:
- Design a strategic plan for implementing a new system architecture in an organization.
- Determine what information technology policies, laws, regulations, standards, and contracts are applicable in a given situation
Client-Server Architecture to Meet Organizational Needs
System Architecture Options and Benefits: System architecture plays an important role in fulfilling the business strategy, which can then be translated into a plan for the information systems infrastructure. The most common options for system architecture are centralized, decentralized, service-oriented (SOA) and software-defined. SOA is a centralized system in which all data and controls are in one place, allowing for better scalability and increasing the efficiency of remote network management. It is loosely coupled architecture, which minimizes dependencies on other services, allowing for better agility. A cloud architecture allows a business to scale effectively and increase the accessibility of its products and services to reach a new customer base. Through cloud computing, third party providers are better able to respond to issues arising from growth, such as information flow, and leverage available cloud technology to optimize performance. This makes it possible to emerge into new markets, thereby maintaining a competitive advantage and eventually resulting in higher profits.
IS Strategy Triangle: A business strategy is the driving force behind information systems and organizational design. Whenever a decision is made that impacts organizational strategy, business strategy or information systems strategy (the IS Strategy Triangle), the others must be considered to ensure a balance is maintained. These components should complement each other and work in tandem to ensure business objectives are achieved.
Components of a Cloud Architecture: A cloud architecture allows for multiple platforms to share resources, and for clients to access services and applications from anywhere using their web browser; therefore, the amount of resources required is minimized. For instance, the Oracle HCM Cloud that has been selected will allow for unified integration with financials (ERP), customer experience, and supply chain management software to improve operational performance (Oracle, 2022, p. 7). Other components to be considered are hardware, software, networking and data (quantity, format and storage). Although cloud architecture reduces the need for many hardware and networking devices as applications will be managed in the cloud, geographical regions should still be considered in determining the appropriate level of devices and equipment needed.
Industry Best Practices: Maintaining a competitive advantage in the technology industry will require a digital strategy that can keep up with the rate of change in today’s dynamic IT environment. Chinese e-commerce company Alibaba, for example, uses AI technology in its warehouses, customer-service chatbots, financing and facial recognition to keep up with growing consumer demand (GetSmarter, 2022). Alibaba first defined its business strategy (to improve customer service) and transformed it to a digital strategy by harnessing AI technology to increase output and personalize the customer experience.
Lowering Total Cost of Investment (TCI): Studies show that those either competing or cooperating with a global platform can boost earnings above those that do not have a digital platform (Bughin et al., 2019). Transitioning to a cloud platform has numerous benefits, one of which is cost savings in terms of maintenance and equipment. There are intangible benefits to consider as well, such as increased innovation, elasticity and accessibility, all of which increase the organization’s ability to respond to market changes and handle higher demand.
Security Considerations and Needs
Security of System Architecture: Changes to system architecture can introduce new risks and vulnerabilities that must be addressed. The company will need to establish how platforms managed by a third party are able to ensure security of company data and that their security policies meet organizational requirements. The organization must protect business resources and information by implementing access control according to level of authorization. Organizational leaders should promote a cybersecurity culture that promotes best security practices and policies, and emphasizes the importance of maintaining data integrity, which is reinforced through regular education and training of staff.
Integrating Security in DevOps: Information security should be integrated with development operations to increase developer and operational productivity in addition to safety and security (Kim et al., 2016, ch. 22, para. 5). All infosec tests should run with regular deployment testing, especially in the early stages of the development life cycle. By integrating security into the daily activities of DevOps, this will make deployments much more manageable, reduce vulnerabilities and encourage security awareness throughout the development process.
Streamlining Policy Updates: Cybersecurity policies are just one of the many layers in a defense in depth strategy and everyone in the organization should be aware of updates to these policies. Therefore, a system of record (SOR) should be provided for these policies, which will be maintained by the CISO and business leaders, to ensure data organization and regulatory compliance. Significant policy updates should be communicated with staff immediately, preferably in the form of meetings.
Business Impact
The Impact of Adverse Events: Managers must address security in terms of technology, people, supply chain (vendors) and risk. Technical vulnerabilities in the system, such as any misconfigurations or unnecessary open devices on the network, should be handled immediately. A people assessment should also be conducted to determine the level of training of staff (such as ensuring they know who to report to if they encounter suspicious activity). Managers should also be aware of any vulnerabilities in portions of the system that vendors oversee and should be provided with a risk assessment from those vendors. Finally, a risk assessment of the organization itself should be conducted to determine the probability and costs of a security breach.
Business Continuity Considerations: The NIST cybersecurity framework provides a guideline for protecting organizational assets while reducing the negative impacts of an attack. It involves five key functions to increase cybersecurity in the organizational environment: identify, protect, detect, respond and recover (Pearlson et al., 2019, p. 158). First, the organization must identify the assets it needs to protect and then establish governance and conduct a risk assessment to help prioritize level of coverage. One way of protecting assets and the IT environment is to implement access control policies, and training staff on best security practices. Detecting vulnerabilities to assets refers to continuous monitoring of the system for unusual events. A response plan involves conducting an analysis of the system’s ability to respond to adverse events and develop a communication plan to ensure order and continuity is maintained in times of crisis. Finally, having a disaster recovery plan is essential to ensuring continuity of operations and understanding what needs to be improved going forward.
Compliance
Common Industry IT Standards: There are several information security frameworks available to reduce the organization’s exposure to risks and vulnerabilities:
- NIST CSF (focus on risk analysis and risk management)
- COBIT (most common framework to maintain Sarbanes-Oxley compliance)
- COSO (focus on internal controls, cyber threats)
- ISO 27000 Series (flexible, can apply to many types of organizations)
- GDPR (mandatory security framework for protecting EU citizen information)
In consideration of the available frameworks, the ISO 27000 Series is one of the broadest in scope, making it one of the best options. Its a flexible information security framework that establishes the requirements for an information security management system (ISMS) and encompasses a wide range of information security issues including cloud computing, IT disaster recovery, and storage security. Maintaining compliance with this security framework involves regular audit and certification processes, which are conducted by a third party approved by ISO. In addition, the new system architecture will have to ensure compliance with GDPR to protect EU citizens’ personal information. This includes implementing controls for restricting unauthorized access to stored data and access control measures, such as least privilege, role-based access and multifactor authentication (Kirvan & Granneman, 2021).
Software Updates and Patching Existing Software: Maintaining cybersecurity hygiene is a basic best practice in which system updates and patches are applied as they become available by vendor. Patch management tools will not only help detect vulnerabilities and apply patches as needed to ensure the continuity of operations, but they are also required by security compliance frameworks and other policies. Patches should be tested prior to system-wide deployment and the timing and resources needed should be determined to avoid excessive or unnecessary system downtime.
Data Privacy
PII, Data Breach Notification Laws and Data Storage: PII must be stored securely according to the latest national security protocols and regulations. All data stored on servers must be encrypted in both storage and in transit. The organization will need to be intimately familiar with regulations regarding PII, such as GDPR and any Security Breach Notification Laws. The Federal Trade Commission (FTC) offers some guidance in response to data breaches and protecting data, such as meeting with legal counsel who can advise of specific security laws and regulations specific to a geographical area. It is important to think about vulnerabilities in terms of service providers and to be aware of what PII they have access to and ensure they have patched any existing vulnerabilities. Best practice is to have network segmentation in place so that a breach on one server will not affect another. Another best practice is to only store PII that is necessary, and to have policies in place to delete any data automatically after a certain period of time.
References
Bughin, J., Catlin, T., & Dietz, M. (2019). The right digital-platform strategy. McKinsey Quarterly, 2, 1–4. Retrieved from:
https://eds-s-ebscohost-com.ezproxy.snhu.edu/eds/detail/detail?vid=2&sid=40d0531d-c2b5-45bb-9ba1-
6 44adc9746e5%40redis&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#AN=137670577&db=bsu
GetSmarter. (2022, June 25). 4 Examples of Successful Digital Strategy Development.
https://www.getsmarter.com/blog/career-advice/4-examples-successful-digital-strategies-can-learn/
Kim, G., Humble, J., Debois, P. & Willis, J. (2016, October). The DevOps Handbook. IT Revolution Press.
https://learning.oreilly.com/library/view/the-devops-handbook/9781457191381/DOHB-ch_22.xhtml
Kirvan, P. and Granneman, J. (2021, December 21). Top 10 IT security frameworks and standards explained. TechTarget.
https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one
Oracle. (2022). Solution Overview: Oracle Cloud HCM Work Made Human.
https://www.oracle.com/a/ocom/docs/oracle-hcm-cloud-overview.pdf
Pearlson, K. E., Saunders, C. S., & Galletta, D. F. (2019). Managing and Using Information Systems: A Strategic Approach
(7th ed.). Wiley Global Education US. https://mbsdirect.vitalsource.com/books/9781119561156