Information Technology Auditing and Assurance - Report Example

The System Development Life Cycle The system development life cycle which is also commonly referred to as the Software development process is a term that is frequently used in software engineering, systems engineering and information systems. It is a term that is used to describe the process, stages, models and methodologies that are involved in coming up with an information system development project. The system development lifecycle as a concept encompasses several different kinds of software development methodologies. These different methodologies are the ones that end up forming the main skeletal framework that will be used in the main planning, and in controlling the development of an information system (Oz E., 2009, 415 -416 ). Custom Applications and Proprietary Systems Custom Software applications are also variously referred to as tailor made software or bespoke software. These are software that have been designed and developed for use by a specific group of customer for use within a company or organization as opposed to the use of off the shelf or packaged software which are often designed to meet the general needs of the mass market computer users. Custom Applications are designed for use by large companies to fill the needs within the organization that packaged software cannot be able to satisfy relating to the company’s internal processes. They are usually more expensive to produce as computer programming firms are forced to charge the company that the software is being produced for the full cost of designing and development of the application as opposed to packaged software whose cost can be distributed to the various customers who purchase it and hence resulting in lower purchasing costs. Proprietary Systems Proprietary Systems are computer software that have been copyrighted and licensed by the copyright holder. One cannot change or adapt them to suit their own specific needs through reverse engineering, modification or even further distribute the system. The system is wholly reliant upon software and equipment that have been licensed by the copyright holder who often provides the users with support. What the user can use the system to do is usually restricted by both certain blocks designed within the system to prevent certain activities from occurring and the terms and conditions of the license. In a nutshell, proprietary systems only allow people to use them but not change or fully modify them (Rexford K. and Giuliani P, 2004, 358). The System Development Lifecycle pertaining to the Development of Custom Application and the Selection of Proprietary Systems. In the development of a custom application using the system development lifecycle model, the development of an application is usually dissected into several different subsequent steps. Each individual step is supposed to deliver results that will also act as the input for the subsequent step. This model of the system development lifecycle is commonly known as the waterfall model. Periodic tests can be carried out within each stage to ensure that the step is producing good quality output for use in the next step. In the event that there are any errors in any of the subsequent steps, and the system is not able to solve tasks satisfactorily, it will be necessary for the programmer to go back through the previous phases to the exact phase where the decision that has led to the current problem was made. As such, it can be a very expensive process trying to correct errors in the system. The system development lifecycle can be outlined into six individual steps, these are; Phase I - Project Planning and feasibility Study During this step of the software development lifecycle, the existing system is developed by the developer and its current deficiencies are identified. The deficiencies are can normally be identified by conducting direct interviews with the persons who are in contact with the system on a daily basis and its current support personnel. This information helps the system developer to ascertain as to whether any proprietary system may be deployed or if the system desired will be adequate for the needs of the client. It also helps establish the cost effectiveness of the entire project (Wigand R., 2003). Phase II - System Analysis or Requirements Definition Step During this step, the demands for the intended system to be created are defined putting into consideration the perspectives of all the departments that will be involved in its use. During this phase, a requirements engineering assessment is carried out of the area in which the application system to be developed or the proprietary to be purchased, will be introduced for use. The demands that will be made on the new system are seen to evolve through the analysis that is made of the current system and the weak spots that were identified in the process (Wigand R., 2003). Phase III - Conceptual System Design In this phase, several conceptual alternatives that satisfy the needs of the intended system are produced. These are then presented to the users for them to choose the best option from among the options provided. The user studies and evaluates the different conceptual models and chooses the one that is most appealing and plausible. By doing this, the system developer avoids the imposition of any preconceived constraints on the proposed new system (Hall J., 2011, 183). Phase IV – Application Programming and Testing During this step, the actual coding of the program in the case of the creation of an application system takes place. In the case of proprietary systems, in this phase, the program that has been identified as being able to best satisfy the needs of the organization is purchased. Phase V – System Acceptance/ Implementation / Installation During this stage of development, the software is installed into the company’s equipment for use. Phase VI System Maintenance After the implementation of the system, this is the final phase it enters into. During this stage the system undergoes through various changes in order to fully accommodate the preferences and needs of the user. System maintenance can take a period of about 5 years or even longer. When the system is no longer feasible or the organization reorganizes its structure, a new system development lifecycle begins (Hall J., 2011, 204). The Major Types and classifications of Health Care Information Standards and the Specific Organizations that Develop and Regulate these Standards Identifier standard: Throughout the world, there is a unique need for the health care industry to have identifiers that can help it to uniquely specify each and every patient, product, provider and site-of-care although generally not everyone accepts or is satisfied with these systems. Patient Identifiers The United States is currently considering the use of the Social Security Number (SSN) as a patient identifier. Critics argue that this is not the most ideal identifier since not everyone has a SSN and in some cases, several people use the same SSN. Product and supply Labeling Identifiers In this category, three identifiers are widely accepted. These are, The Labeler Identification code (LIC) which identifies the products manufacturer or distributor and is issued by the HIBCC. The LIC is used in conjunction with barcodes and sometimes on supplies and products that have been distributed within health care facilities. The Universal Product Code (UPC) is under the maintenance of the Uniform code council and is used in the labeling of any products intended for sale in a retail setting. The National Drug Code is also used as an identifier. Communications (Message Format) Standards The standards in this category have been widely accepted by many vendors and users. They are usually developed by various committees found within standards development organizations (SDOs). Some of these include: Accredited Standards Committee (ASC) X12N This is the committee that is responsible for the development of the standards that will be used in transactions occurring between payers and providers. The secretariat for the ASC X12 is the Data Interchange Standards Association (DISA). The ASC X12N is officially recognized by the American National Standards Institute (ANSI) as an Accredited Standards Committee (ASC) (Friedman D., Hunter E. and Gibson R., 2005, 188). Digital Imaging and Communications in Medicine (DICOM) The DICOM Standards Committee is responsible for the development and maintenance of the international Standards that are used in the communication of biomedical diagnostic and therapeutic information using digital images. They are also used in dentistry, radiology, cardiology, etc. Health Level Seven (HL7) This standard is used for defining transactions use in the transmission of data pertaining to patient admission, registration, discharge and transfers, charges and payers, insurance, image studies, orders and results for laboratory tests, nursing and physician observations, pharmacy orders, diet orders, master files and supply orders. This system is currently being used by most of the larger hospitals in the U.S. today (Friedman D., Hunter E. and Gibson R., 2005, 188). Content and structure standards Guidelines and standards designed primarily for the content and structure of computer – based patient record systems in hospitals are being developed within ASTM subcommittees E31.19 and E31.12. Other standards organizations have acknowledged them and they are currently starting to gain some acceptance. The Need for Accomplishing the Security of Information Systems With major advances in networking technology and in the internet, it has become increasingly very easy for one to transfer and obtain any information very easily. Though the international connectivity is very convenient, it has resulted in increased vulnerability on our part to outside attacks. The ultimate goal of Information Systems Security (ISS) is to try and protect our information systems and information from these attacks. Information Systems Security helps ensure that our information systems are protected from any unauthorized modification or access while helping the legitimate system users in accessing their information. Security Information Systems play a big role in helping maintain the availability, confidentiality and integrity of our information systems. Threats and Methods of Accomplishing the Security of Information Systems Information Systems can be exposed to a variety of threats that can severely hamper their performance. Some of these threats and methods that can be used to ensure the information system’s security from them include; Internal Human Threats. This is the greatest threat to most information systems since the persons have a general idea of the workings of the systems and can be able to access the system quite easily. To protect against this, persons should only be allowed to use equipment and machines for which they have been provided with authorization and cleared to use. Personnel should also not be allowed to install any software onto the system or alter their configurations. The Company’s management should always be notified before there can be any relocation of any computing resources (Rainer R. and Cegielski C., 2011, 87). Some of the External Threats that a system can face include the threat of Social Engineering where hackers using this method try to trick individuals using the system into revealing passwords that can help them access a secured system. Users should not give out any of their passwords or participate in phone surveys (Rainer R. and Cegielski C., 2011, 88). Phishing which is used by Persons trying to obtain personal information by the use of websites and via e-mails. The information required is mostly in the form of credit card numbers, passwords, bank account information or even social security numbers. System users should always remember that legitimate companies never ask or sensitive information via email. Other Measures that can be taken to prevent Insecurity in Information systems include: Avoid installing mobile code into your computer system. Setting computer web browsers to not accept cookies as these can store vital information like bank and credit account numbers. The use of Peer to peer files sharing applications on company servers should be discouraged as this can lead to a company’s systems being exposed to a breach in security. People should be encouraged to scan any e-mails attachments that they receive using the most current antivirus software and delete any email that they receive from unexpected sources. This is done to prevent their systems from copying virus infected files. System users should be discouraged from forwarding any messages that they receive telling them to forward the said message to all their friends. This is because sending these messages known as hoaxes clogs and slows down the network. Best Practices for Effective IT Alignment and Strategy Planning The use of an IT advisory board / Steering committee is important so as to ensure that major policy decisions are made and the IT strategy goals are achieved (Kondabagil J., 2007, 52). Ensure that there is constant monitoring of the general progress of the company’s IT strategic plan and reports made on its progress (Rodrigues J., 2010, 60). Ensure that the persons using the system are trained on how to use it most effectively so as to ensure optimal utilization of the system and a reduction in delays that would normally result as a result of the workers not fully understanding the system (Hasman A., 2000, 182). References Friedman D., Hunter E. and Gibson R., (2005). Parrish Health statistics: shaping policy and practice to improve the populations health. New York: Oxford University Press. Hall J., (2011). Information technology auditing and assurance. Mason, Ohio: Thomson/South-Western. Hasman A., (2000). Medical Infobahn for Europe: proceedings of MIE2000 and GMDS2000. Amsterdam [u.a.]: IOS Press. Kondabagil J., (2007). Risk management in electronic banking: concepts and best practices. Hoboken NJ [etc.]: Wiley. Oz E., (2009). Management information systems. Boston, Mass.: Thomson/Course Technology. Rainer R. and Cegielski C., (2011). Introduction to information systems. Hoboken, N.J.: J. Wiley & Sons. Rexford K. and Giuliani P., (2004). Electrical control for machines. Clifton Park, NY : Thomson Learning. Rodrigues J., (2010). Health information systems: concepts, methodologies, tools and applications. Hershey PA: Medical Information Science Reference. Wigand R., (2003). Introduction to business information systems. Berlin [u.a.] : Springer -Verl. Read More