By recognizing the process or processes that are critical to be automated, organizations can begin to define the requirements a system must have to fulfill their needs. Many of the requirement that will be recognized as needs during the process will be identifies in a system analysis. The system analysis will consist of feasibility studies, system studies, and system requirement studies (Romney and Steinbart 621). Also during this phase, the organization will evaluate the current technology that is being used and make a decision on whether it will be able to house, operate, and maintain a new or additional information system. If determined by managers, IT professionals, and the steering committee that the current technology will not be sufficient for what the organizations plans to implement, an added expense of new or updated technology will be accounted and planned for. An additional expense that should be considered is the type and amount of security that is going to be needed (Radack). Due to industry regulations or organizational objective the basic requirements for security should be discussed to assure that they are not forgotten and are a main concern when acquiring or developing the system. Before continuing to the acquisition and development stage, organizations will need to analyze their budgets and the tests conducted in the initiation phase to decide what a feasible amount is that they should spend on an information system.
Throughout the acquisition and development phase organizations will continue to do research and analysis on the requirements that must be present in their system. The analysis will be conducted in a sequential order. It is important that organizations conduct adequate research to assure there are no loopholes for security breaches ones the system is implemented. What was developed during the initiation phase will be a foundation for what will be added during the acquisition and development phase (Radack). According to Shirley Radack, a formal risk assessment is used to ensure an organization has the security that is needed for their system. The formal risk assessment will work to identify threats and vulnerabilities that may be present in a system. With the potential threats, professional will be able to measure the risk for each threat and measure the potential impact it could have on the organization as a whole. This assessment of risk will be much more detailed and specific than what was presented in the initiation phase. With a comprehensive list of all the risks that may be present, organizations are now able to conduct a security functional requirement analysis. This analysis will take into consideration all of the current systems that are being used and all the current IT infrastructure. The analysis will be conducted by researching and listing all of the requirements that need to be present in any system to protect the confidentiality, integrity, availability of information, and any legal regulations that must be fulfilled (Radack). The next analysis will be used to show what controls and actions need to occur, the security assurance requirement analysis. To assure that all risks and threats are protected, this analysis should be conducted based on legal ramifications as well as system security operations. Managers should consider what controls are present and how they perform. By having a baseline knowledge of information technology security, managers will be able to make better predictions and guidelines for what needs they have for the new system(Radack).
Because all security requirements and plans are now agreed upon, organizations will decide whether they will acquire their new system from a vendors or whether they will develop the plan in house. When deciding which option is best for the organization they receive requests for proposals with estimated prices of each vendor’s system. They will also receive the capabilities of each system. With the capabilities of each system, managers will be able to make a decisions regarding what option will best cover all the security risks that are present. If managers feel that their organization’s IT professions have the capacity and capability to develop a system that is more cost effective and will cover all the security measures more effectively, managers may choose to develop the system in house.
Once the system has been either chosen or developed it will be ready to go through the implementation phase. The implementation phase is started with an implementation plan. The plan will be in the form of a formal report that will identify key factors including: tasks, estimated completion dates, costs, who is responsible and will be held accountable for different tasks (Romney and Steinbart 690). Also within the plan will be identified risk factors that the implementing team may experience that will limit the success of the implementation. Strategies for how the team will mitigate these risks will also be included.
For an organization that does not have an existing information system they may be required to install new physical infrastructure. In order to assure security and stability of system, organizations may be required to install new electrical outlets, raised floors, fire suppression and other protective measures (Romney and Steinbart 691). Once the infrastructure advancements are complete the software will be able to be implemented.
Prior to having the system go live to all users, there will be adequate testing of the system. A security plan as well as a test and evaluation plan should be constructed. These security plan will be a comprehensive report that consists of all of the planned risks and how those risks are planned to be mitigated or eliminated. The test and evaluation plan will consist of how the system is going to be tested to assure managers that all planned risks will be managed in their agreed upon manner. The tests will also test the functionality of the program to assure managers that the system will fulfil the goals that organization had for the system in the initiation phase. Evaluations often occur in the “sandbox” where only testers have access to the system. Tests are often conducted by someone within the organization or by an independent contractor (Radack). The testing is used to verify that the specifications required have been included in the system and are now a deliverable (Radack). Besides testing the functionality of the system, the security of the system also needs to be verified. Some independent contractors that tests systems grant a security certification if they feel that system adequately covers all the identities risks. This certifies that the system being implemented has the appropriate controls within it and those controls are operating to mitigate the risks of the company (Radack). The security certification is often times what gives managers and professions that confidence they need to allow the system to go live for all users.
Training should be conducted during the implementation phase to all users who will have access and who will use the system. Training sessions should be focused on the segment of the system that each individual has. This should be a departmentalized effort. For example, sales representatives of an organization should not be trained on the payroll section of a system. Users should only be trained on what the system is going to limit them to have access to. Users should have adequate time to experiment the program prior to being required to use the system. A question session or forum will allow system users to answer any questions that may be unknown. Once the system is completely implemented a report will be conducted and sent to the information steering committee (Romney and Steinbart 622).
Concluding the installment of the software and testing of the system, completion reports will be constructed. There are three types of documentation that must be provided for new systems: development documentation, operations documentation, and user documentation. The development documentation will provide details of program flowcharts, test results, and database layouts (Romney and Steinbart 692). Operations documentation will show schedules, equipment used, security measures, and file-retention requirements ((Romney and Steinbart 692). User documentation will show and teach users how to operate the system and provide additional procedures and training material ((Romney and Steinbart 692).
Due to the continuous advancements made in technology, it is important that systems are updated periodically and maintained to the highest feasible operating standards. Changes in hardware and software both could have substantial effects on a system and if changes occur, testing needs to be conducted. Organizations should be continuously looking to improve their system in order to increase efficiency as well as employee’s experiences. One way in which organizations are able to better the user experience is by listening and reaching out to users for their complaints, needs, and advice. Other reasons for changes include: technological changes, changes in business processes, productivity gains, and aging systems (Romney and Steinbart 619). It is estimated that each year in corporate America companies spend over $300 billion on software and IT updates (Romney and Steinbart 619). If changes are made to the system employees should be trained and updated on the changes. The supplemental training documents and procedures may also need to be revised to show any updated. A mistake made by an employee who was not aware of a change could result in a security breach or serious operation concern. The system should periodically be tested to assure that all security measures are still operating to their fullest capacity.
After a brief time of the system being implemented and operational a post-implementation review is conducted to determine whether or not the system has meet all the goals and objective that were originally set. During the review there will be many factors that will be investigated: ranging from employee satisfaction, security, and documentation (Romney and Steinbart 694). By reviewing and identifying any issues early in the operational life of the systems, managers will be notified and be able to make decisions on how to deal with those issues. A costly error could be caught during this post-implementation phase that would otherwise be significant financial loss or operations loss at a later date.
The final stage of the system development life cycle is the disposal of the system. In-order to save information from being leaked, disposal of a system can be one of the most critical parts. As system contracts near expiration and systems age, decision needs to be made in regards to all the data stored on the current system. As some of the data will need to be transferred to a new system, managers may decide that some data is obsolete and not needed. This data that needs to be maintained should be copied onto another system that has proven to be secure. The data that need to be disposed should be erased. The media that was responsible for storing that data should be sanitized (Radack). Sanitization can occur through the process of degaussing, overwriting, or media destruction (Radack). Obsolete hardware should also be disposed in an appropriate manner. One of the safest ways to eliminate the risk of sensitive information being released is through physical destruction of the hardware. This is often done by incineration (Romney and Steinbart).