Information Systems Support Policies

Workstations, servers, and mainframes require many of the same support policies. Work areas must be clean and air conditioned. On a daily basis, housekeeping resources must enter all work areas except the data library, server, and mainframe rooms for cleaning. There must be policies eliminating the presence of food, beverages, and smoking in the vicinity of computer equipment and media. This may be a harsh idea but more than one laptop/desktop has met its end by a spilled café grande.

Data libraries where real-time and backed up data are stored are perhaps the most critical areas of the workplace. Generally, data libraries store magnetic tapes, optical disks, magnetic disks, application media, and paper-based documents. Often, there are data libraries required for ready access on the office site, while remote data libraries store materials in the event of disaster.

There should be policies governing the conduct of data libraries and the duties of the data librarian. The primary duty, of course, is to support the business' computer operations. Following is a list of data librarian duties for policy consideration:

- Upon receipt of new media, the librarian compares quantity received with the original order and billing information. If incorrect, the librarian notifies the operations manager.

- Inspects all media for physical damage. If any media is damaged, the librarian notifies the operations manager.

- Logs all new media and assigned identification numbers.

- Acknowledges all receipts and deliveries with the operations manager.

- At no time is the librarian to have access to applications or information systems of any kind, preserving separation of duties and least privilege.


Data Entry
Many senior managers have forgotten that data entry is still a vital part of business operations. There is a need to convert raw, bulk data such as credit card applications into a familiar format for use by information systems. Many companies utilize both centralized and decentralized data entry systems. In fact, it is becoming very popular to package and ship forms to foreign countries with relatively low labor costs for data entry. In most cases, the equipment of choice is the online monitor and keyboard; there are others consisting of bar code readers, optical or magnetic character readers, and voice recognition. Policies and procedures for online data entry are as follows:

- All employees and terminals are identified by proper codes to ensure that only authorized equipment and employees enter data.

- When the data is displayed on the monitor correctly, the operator keys in the proper code to transmit the data to the computer.

- All data is checked by the computer system, ensuring that the correct data is being entered. For example, if a field is no more than seven numerical characters in a specific range, the computer will not allow the operator to enter incorrect characters.

- All data entered are logged by terminal number and the data entry employee.

- At no time are the data entry employees to have access to computing hardware outside what is necessary for them to enter data.

- At no time are the data entry employees to have access to applications other than what is necessary for them to enter data. These last two steps help preserve separation of duties and least privilege.


Technical Support
The primary purpose of the technical support units is to provide technical services to computing equipment and software users. There are basically four sections for which they have responsibilities:

1. Communications. The communications support unit is responsible for hardware, software, wiring, cabling, maintenance, and lease services for the operation of all business communications. Included here are the local area networks (LANs), wireless networks, and wide area networks (WANs). They also are responsible for telephone communications, including cellular and wireless, and their respective billing.

2. Database administration. The database manager is responsible for a number of administrators who are responsible for maintaining and controlling the processing related to the company's databases. Their related duties include:

- Selection and maintenance of database software

- Control database access and employees who can create information, read specific information, change information, add information, and delete information

- Maintain file and database backups

- Provide consultations to relevant database users

- Provide disaster-planning procedures and test them

- Report immediately any security breaches or data corruption

- Maintain directory services


The latter duty, depending on the organization's size, can constitute a sizeable part of the database administrator's duties. A directory is a collection of information for a given application. It may hold all the information relating to each application such as user access and logons. They are responsible for the directory's integrity and security. It is important to maintain a division between database support unit employees and production applications so separation of duties and least privilege are observed.

3. Software support. These are the program engineers responsible for supporting the operating systems, applications, and in-house developed and purchased software applications. Some of their responsibilities include but are not limited to:

- Make approved changes to the operating system software when directed by senior managers in writing.

- Document all changes to any production software.

- Report immediately any security issues in any production software.

- Report immediately any physical security breaches.

- Inform computer operators of programming changes in written form.

- Test new software before introducing to a production environment.

- At no time should any programmer have access to live data in any form. Further, at no time should any single employee, programmer or otherwise, have the ability to change the operating system code or any of the production applications. These restrictions will help maintain an atmosphere of least privilege and separation of duties.


4. Workstation/server help desk. These are the employees responsible for affecting the majority of the organization's computer users. They generally address issues such as:

- Workstation and server configurations. They establish standard operation procedures, ensuring that all workstation and server configurations are the same from machine to machine and platform to platform. With standard configurations observed, they can readily identify security or abuse issues and handle them.

- Provide service to employees having difficulty with their equipment and software.

- Service and maintain peripheral equipment.

- Make recommendations of equipment and software.

- Monitor performance and provide feedback to senior managers.

- Train users to maximize equipment and software use.

- Maintain inventory of hardware and software.

- Maintain hardware and software licensing.

- Provide and maintain list of approved software applications.

- Test and approve software and equipment for security and place into production.

- Approve installation of specified software applications.

- Report any security violations involving users.


As with other employees, there must be a separation of duties in that these employees must never have the ability to access live production data, operating system code, or application programming.

0 comments:

Popular Posts