UMGC Information Systems Security Discussion 300 word min reply with references
Earlier we learned about the Requirements and developing requirements for an IT system, where we learned many requirements along with examples. And that system performance criteria helps determined how the system is configured, how it can operate and when it used and what is the user’s experience. There are number of requirements for system performance, here I would like to discuss the requirement called “Maintainability”. The term is characterized as a probability of successfully performing a restoration action within a timeline, in other words, “Maintainability” tests how simple and fast a device can be restored to operating system in case failure occurs. It is alike “reliability Analysis System”, with the exception that time to repair, rather than time to failure is the random variable of interest in the “Maintainability Analysis”.
The above mentioned system is very crucial in the process of hiring because this analysis helps to assess the required time. Through this system many things can be identified and reduced, such as cost, time, and what to maintain or not. And by this it can be also assessed the condition in which an individual can perform task. Work can be perform more quickly if one can observed what one is performing.
Barbarosoglu, B.V. and Arditi, D., 2019. A system for early detection of maintainability issues using BIM. In Advances in Informatics and Computing in Civil and Construction Engineering (pp. 335-341). Springer, Cham.
Jha, S., Kumar, R., Abdel-Basset, M., Priyadarshini, I., Sharma, R. and Long, H.V., 2019. Deep learning approach for software maintainability metrics prediction. Ieee Access, 7, pp.61840-61855. Learning Resource
Developing Requirements for an IT System
Where Do the Requirements Come From?
Let’s assume that someone in the organization identifies one or more problems with the way a process
is working. Whether the current process is supported by an IT system or not, the analyst might ask
people with different roles in the process two questions:
What problems are you having in performing the task today?
How do you see an IT system helping to improve things?
These questions should elicit a variety of responses from multiple perspectives. The executives might
answer with how the organizational strategies and objectives could be better supported with an IT
system. Managers may answer the questions with how an IT system would help them manage the
people and processes better. Front-line employees will likely focus on their tasks and which steps
could be done more easily and quickly if they had a system. The analyst will use information gathered
during the process analysis phase to help stakeholders identify and clarify what the system needs to
do for them.
If there is organizational agreement that a new system is probably needed, then a determination
should be made as to whether a system will need to be developed or if a pre -built commercial off-theshelf (COTS) solution might work. This would include answering the following types of questions:
For what major functions or tasks is the user seeking an IT solution?
Is there any part of that task that is likely to be unique to this organization?
Would it be possible to find a COTS solution, since those are already created, are ready to be
used, and are often much less costly to implement?
If the organization does not employ any significantly unique functions to accomplish a standard
business process, then it is likely that a COTS solution exists that could meet the needs. The
determination of whether a system is to be built or bought drives the level of detail needed in the
requirements. Many more requirements with much more detail are needed for building a system than
for buying one.
Regardless of whether a system is to be built or bought, the next step is to identify the high level user
requirements (or “functional” requirements). This is done by interviewing the expected users of the
system. Users very often know some of what they need the system to do, but are unable to list all the
functions they need. One way the analyst elicits the requirements is by asking a variety of users at
different levels of the organization and with different responsibilities how the processes are currently
being done and what it is that the current system or process does or does not do eff iciently. The
manager’s perspective and needs are quite different from the front-line employee trying to perform
specific tasks, and the executive’s perspectives and needs are unique to that level of the organization.
After a series of interviews, the analyst can categorize and document the requirements that are
emerging. Some of these will likely be at a very high level (e.g., “I need annual financial reports”) to
very low-level detailed items (e.g., “the zip code must include all 9 digits”). For an accoun ting system,
the high-level requirements might include “the system must implement the Generally Accepted
Accounting Principles (GAAP)” or “the system must produce a monthly expense statement,” along with
many other functions identified by the users. One of the biggest challenges for the analyst is to
differentiate between a “must have” (essential) requirement and a “nice to have” feature. When
requirements are collected and documented they are often put into these two categories. The analyst
asks the end user to determine whether each requirement is a “must have” or a “nice to have” item, and
Some users may identify requirements that they believe the system must perform, but that the analyst
does not believe should be part of the specification for the system in question. At this point in the
process, all of the requirements identified by any of the participants should be listed. Eventually, the
full list of requirements will be reviewed, modified as necessary and approved by the syst em “owner”
and major stakeholders. During that part of the process, final determinations will be made about which
requirements are essential, which are “nice to have,” and which should be eliminated. The list of
essential requirements will be used to identify whether there are COTS products available that should
be considered; “nice to have” requirements will be used to compare solutions that meet the essential
requirements. In a system development environment, the essential requirements will be used to
determine the scope of the project. It is often easier and less costly to include “nice to have” items in
systems being developed in-house, but the overall cost of developing and maintaining IT systems
must be considered in making that decision. In the systems development life cycle (SDLC) analysis
phase, the project sponsor signs off on the requirements document. In later SDLC phases, the
requirements are used to design, develop, and test the system.
A separate set of system performance (system quality and security) requirements comes from the
combination of end user needs as well as technical specifications developed by the IT department. The
answers, again, are elicited via interviews with expected system users and managers. Below are
example questions that the analyst might ask to develop system performance requirements in each of
the system quality and security categories:
Usability—Do you want the system user to have access to an online help manual? Do you want
the user to be able to access context-specific help while entering each data field on the
Scalability—How many users and how many records/transactions do you need the system to be
able to accommodate? How much might those increase over time?
Availability—Are there any time blocks where access to the system is not needed (e.g., no one
would use the system between midnight to 4 a.m. daily)?
Reliability—Can you provide examples of tasks where the system needs to create and maintain
Maintainability—Are system security updates applied within 24 hours? (While end users are
affected by the maintainability of the system, it is usually up to the IT department to determine
whether the process used accommodates changes as needed and whether updates are made in
a timely manner.)
Portability—What devices do you want the users of the system to be able to use? Is it likely
that they would use a smartphone, tablet, etc., to either query or use the system?
Interoperability—Are there any systems with which the new system will need to directly
Security—This is another area where users are affected, but need assistance from technical
specialists to determine the requirements. The analyst might ask: How sensitive is the data?
Are there any regulations concerning protecting the type of data in this system (personally
identifiable information, health care or other data protected by law, etc.)? Do you want users to
be restricted as to what they can do with the system or what data they can access? Should this
be based on their role in the organization? How often does the data change? How long could
you continue to operate if the system were unavailable?
The User’s Role—Identifying Requirements
As discussed above, it is the responsibility of the system users to identify the need for a solution to a
problem or to identify processes that could be improved and performed more effectively or efficiently.
The user is familiar with the business process to be accomplished and with how it is currently
performed, and can identify any issues that exist. Previous work completed on process analysis is an
important precursor to defining requirements. It is not unusual for the business person to look around
and find potential IT solutions to their problems, and some want to jump immediately into acquir ing a
specific solution. However, without a set of requirements that has been approved by the organization,
a solution that fits one set of problems may not fit the needs of other users of the system.
The Analyst’s Role—Documenting Requirements
One of the business analyst’s biggest challenges is to get the users to identify their requirements
rather than focus on a specific solution. The analyst conducts interviews and observes the process as it
exists and documents the process. Using the process analysis work done previously and by asking the
types of questions discussed above, the analyst gathers the requirements for the new or updated IT
system and begins to document them.
How Are Requirements Statements Written?
There are a number of “rules” for writing requirements statements. These rules help to ensure that the
requirements can be clearly understood and that it is possible to determine whether or not the new
system meets each of the requirements. Poorly written requirements lead to misunderstanding and
misinterpretation and can lead to a system that does not do what the users need it to do.
The analyst uses the list of requirements that the users identified and rewrites each requirement to
meet the criteria listed below.
Each requirement statement:
Either describes a task that the user needs the system to perform, or states a system
Identifies only one requirement; avoids the words “and,” “also,” “with,” and “or.”
Is a complete sentence, with a subject (usually “the system”) and predicate (intended result,
action or condition).
Uses “must” (not “may” or “should” or “will” or “shall”); written as “The system must….”
Is generally stated in positive terms (i.e., “the system must xxxx” vs. “the system must not
xxx”); however, there are times when “must not” is the more appropriate way to express the
Is measurable; includes a measure or metric that can be used to determine whether the
requirement is met (e.g., time or quantity), where appropriate; avoids the use of terms that
cannot be defined and measured, such as “approximately,” “robust,” “user friendly,” etc.
Is achievable and realistic; avoids terms such as “100% uptime,” or “no failures.”
Is complete; it can stand alone and be understood.
Must be testable; that is, there must be some way to test the system to determine whether the
requirement is met.
Below are some examples of poorly written and well-written requirements, with explanations of what is
wrong with the poorly written requirements statements.
Poorly Written Requirement
What Is Wrong
1. The syste
Users must have access to their personal data, which will be Two requirements (in this case, one user and one system
transmitted in a secure manner.
performance) are expressed; each statement should express only one
2. The syste
The system must calculate the total of all items in the online Two requirements are expressed; each statement should express only
or website shopping cart and display the total to the user.
Report must be provided within 5 seconds of the user
clicking on “submit.”
The system should require the user to provide a shipping
The system must be easy to use.
Not a complete sentence; and should be stated as “The system
Avoid the use of “should”; use “must.”
“Easy to use” is not measurable or testable.
The Requirements Document
Once the requirements statements are written correctly, they should be grouped into categories. The
first categorization is whether a requirement is essential or nice to have. As stated above, this is done
by asking the individual who identified it as a requirement, rather than using the analyst’s judgment.
Then, the requirements are grouped by the function or process involved so that the user community
can understand them. Using the accounting system example, the requirements might be grouped
under headings like: accounts receivable, accounts payable, payroll processing, financial reports, etc.
Arranging the requirements in a sequence that follows the steps in a task is also helpful. For example,
in establishing a receivable account, there are specific steps taken; if the requirements are listed in the
order that is generally used, it allows the end user to ascertain whether the list of requirements is
complete and accurate. Each requirement statement will be assigned a unique identifier so that it can
be referred to with ease and clarity. A full requirements document or “requirements specification” may
contain many hundreds, or even thousands, of requirements. Again, more detailed requirements are
needed for systems being built in-house or under contract. In the case of selecting a COTS product,
only the higher level essential user requirements and the system performance requirements need to be
in the on
in the on
The system must p
the user clicking on
The system must re
The system must p
user through the co
developed. Otherwise, if too many specifics are identified, it may be impossible to find a COTS
If all this documentation of requirements seems like it is very time-consuming, it is! Identifying and
documenting the requirements is the basis upon which all further system decisions will be made, so it
is a valuable investment of time and human resources. The later in the process that requirements
changes are introduced, the more costly they become to implement. In developing a system, it would
require the developers to go back and re-do portions of the system and re-test all the possible
outcomes; and, depending on the severity and impact of the change, it may prove to be extremely
costly. For COTS solutions, a significant change to one or more essential requirements may impact
which systems should even be considered. The upfront investment in defining the requirements helps
prevent downstream costs and delays.
© 2020 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of
information located at external sites.
Information Systems Security
As computers and other digital devices have become essential to business and commerce, they have
also increasingly become a target for attacks. In order for a company or an individual to use a
computing device with confidence, they must first be assured that the device is not compromised in
any way and that all communications will be secure. In this reading, we will review the fundamental
concepts of information systems security and discuss some of the measures that can be taken to
mitigate security threats. We will begin with an overview focusing on how organizations can stay
secure. Several different measures that a company can take to improve security will be discussed. We
will then follow up by reviewing security precautions that individuals can take in order to secure their
personal computing environment.
The Information Security Triad: Confidentiality, Integrity, Availability (CIA)
When protecting information, we want to be able to restrict access to those who are allowed to see it;
everyone else should be disallowed from learning anything about its contents. This is the essence
of confidentiality. For example, federal law requires that universities restrict access to private student
information. The university must be sure that only those who are authorized have access to view the
The Information Security Triad
Integrity is the assurance that the information being accessed has not been altered and truly
represents what is intended. Just as a person with integrity means what he or she says and can be
trusted to consistently represent the truth, information integrity means information truly represents its
intended meaning. Information can lose its integrity through malicious intent, such as when someone
who is not authorized makes a change to intentionally misrepresent something. An example of this
would be when a hacker is hired to go into the university’s system and change a grade.
Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect information.
Information availability is the third part of the CIA triad. Availability means that information can be
accessed and modified by anyone authorized to do so in an appropriate time frame. Depending on the
type of information, appropriate time frame can mean different things. For example, a stock trader
needs information to be available immediately, while a salesperson may be happy to get sales numbers
for the day in a report the next morning. Companies such as Amazon.com will require their servers to
be available 24 hours a day, 7 days a week. Other companies may not suffer if their web servers are
down for a few minutes once in a while.
Tools for Information Security
In order to ensure the confidentiality, integrity, and availability of information, organizations can
choose from a variety of tools. Each of these tools can be utilized as part of an overall informationsecurity policy, which will be discussed in “Security Policies.”
The most common way to identify someone is through their physical appearance, but how do we
identify someone sitting behind a computer screen or at the ATM? Tools for authentication are used to
ensure that the person accessing the information is, indeed, who they present themselves to be.
Authentication can be accomplished by identifying someone through one or more of three factors:
something they know, something they have, or something they are. For example, the most common
form of authentication today is the user ID and password. In this case, the authentication is done by
confirming something that the user knows (their ID and password). But this form of authentication is
easy to compromise (see “Password Security” below) and stronger forms of authentication are
sometimes needed. Identifying someone only by something they have, such as a key or a card, can also
be problematic. When that identifying token is lost or stolen, the identity can be easily stolen. The final
factor, something you are, is much harder to compromise. This factor identifies a user through the use
of a physical characteristic, such as an eye-scan or fingerprint. Identifying someone through their
physical characteristics is called biometrics.
A more secure way to authenticate a user is to do multi-factor authentication. By combining two or
more of the factors listed above, it becomes much more difficult for someone to misrepresent
themselves. An example of this would be the use of an RSA SecurID token. The RSA device is
something you have and will generate a new access code every 60 seconds. To log in to an information
resource using the RSA device, you combine something you know, a four-digit PIN, with the code
generated by the device. The only way to properly authenticate is by both knowing the code and having
the RSA device.
Once a user has been authenticated, the next step is to ensure that they can only access the
information resources that are appropriate. This is done through the use of access control. Access
control determines which users are authorized to read, modify, add, and/or delete information. Several
different access control models exist. Here we will discuss two: the access control list (ACL) and role based access control (RBAC).
For each information resource that an organization wishes to manage, a list of users who have the
ability to take specific actions can be cre…
Purchase answer to see full