As a requirement of the Smallville contract, Gail Industries must conduct information systems review to determine whether the systems meet and continue to meet the organisation’s objectives. Write as if to the client.
Review the Gail Industries Case Study.
Prepare a 4- to 5-page information systems review. Use a business writing format as found in our UOP CWE. Include the following:
An evaluation of current systems operations and maintenance practices
Determination of whether the level of service from internal and external service providers is defined and managed
Recommendations for improvements
Business Analysis Report guidelines
Business Proposal guidelines
Include a reference list of a minimum of 3 references in APA format.
Format your citations according to APA guidelines.
Written Report Expectations
Follow APA style guidelines
Include APA formatted references – minimum of 2, 3 or more is better
A title page does not count as a page of the report
Do not go over the page amounts
Content should address each bullet point of the assignment above
Use correct spelling, grammar, mechanics
Gail Industries Case Study
Gail Industries: Smallville Collections Processing Entity Case Study
This case study will be used to complete your assignments throughout the course. Some sections of the case study will be necessary in multiple assignments. See the assignment instructions for specific assignment requirements.
Introduction to Gail Industries
Gail Industries is a partner to many Fortune 1000 companies and governments around the world. Gail Industries’ role is to manage essential aspects of their clients’ operations while interacting with and supporting the people their clients serve. They manage millions of digital transactions every day for various back-office processing contracts.
One of Gail Industries’ clients is the city of Smallville. Smallville, despite its name, is a metropolis seated in the heart of the nation. The city has 2.5 million residents, and the greater Smallville metropolitan area has a population of about 4 million people.
Overview of the Operations of Smallville Collections Processing Entity (SCOPE)
The Smallville Collections Processing Entity (SCOPE) provides collections processing services to the city of Smallville. SCOPE receives tax payments, licensing fees, parking tickets, and court costs for this major municipality.
The city of Smallville sends out invoices and other collections notices, and SCOPE processes payments received through the mail, through an online payment website, and through an interactive voice response (IVR) system.
Payments are in the form of checks, debit cards, and credit cards. After processing invoices, SCOPE deposits the monies into the bank account for the city.
SCOPE is responsible for ensuring the security of the mail that comes into the possession of all employees, subcontractors, and agents at its processing facility, located within Smallville.
Controls and procedures for money and mail handling are established by SCOPE to ensure payments are accounted for, from the earliest point received through processing and deposit. These controls and procedures provide:
The purpose of collections processing is to receive and process various types of payments, post the payment data to the Central Collections System (CCS), and deposit the accompanying funds in the Smallville bank account. This process includes the following types of payment receipts:
A bonded courier picks up the payments from the United States Postal Service (USPS) facility in Smallville. SCOPE uses a subcontractor for courier services. This courier is dedicated, picking up and delivering mail only for SCOPE. This courier is also required to sign for registered, certified, and express delivery envelopes.
The daily success of payment processing depends on receiving mail quickly from the postal service, opening that mail, and properly sorting the contents for processing. Batches contain similar payment types: tax payments are processed together, court collections together, and so forth.
Deposits are made daily into the Smallville bank account. Electronic payments (debit cards, credit cards, and paperless checks) are deposited through an interface between CCSys and the bank. Checks are converted to electronic debits and deposited electronically. However, those that cannot be converted to electronic form are deposited in physical form.
Functional Areas of Operations
Gail Industries uses the following specific functional areas of operations for SCOPE:
Gail Industries services are designed around the following tools and technologies:
Gail Industries currently utilises cloud-based servers on the Amazon Web Services (AWS) platform for internet-accessible application. Data capture, imaging, and the payment processing application run on local servers in a secured computer room. Local servers run both Linux and Windows Server operating systems. Data is stored on Microsoft SQL Server to provide storage of payment, image, and balancing data.
The servers supporting the CCS are housed within the server room (also known as the data centre) and are managed by Gail Industries’ IT staff. The IT staff provides the following services:
Control Objectives and Related Controls
Note: Only select control objectives and related controls are included in the list below.
Physical Security (Data Center)
Control Objective 1: The controls provide reasonable assurance that physical access to computer resources within Gail Industries’ data centre is restricted to authorised and appropriate personnel.
To protect physical assets, management has documented and implemented physical access procedures to grant, control, monitor, and revoke access to the on-site data centre.
The data centre requires two-factor authentication: a bio-metric credential via retinal eye scanner and a badge access card. Individuals requesting badge access document the request on a standardised employee management form that must be approved by departmental management. Administrative access to the badge access system is restricted to authorised IT personnel.
When an employee is terminated, IT personnel revoke the badge access privileges as a component of the termination process. In addition, the IT manager performs a review of badge access privileges on a monthly basis to help ensure that terminated employees do not retain badge access.
All visitors must sign a logbook and present picture ID to their escort upon entering the data centre. Access is restricted to authorised IT personnel and equipment technicians.
CCTV surveillance cameras are utilised throughout the facility and the data centre to record activity; these images are retained for a minimum of 45 days.
Physical Security (Facilities)
Control Objective 2: Controls provide reasonable assurance that physical access to assets within Gail Industries’ facilities is restricted to authorised and appropriate personnel.
To protect physical assets, management has documented and implemented physical access procedures to grant, control, monitor, and revoke access to the on-site facility for SCOPE.
A door badge access system is employed to control access to areas within the facility (including the data centre) through the use of predefined security zones.
Individuals requesting badge access to the facility document the request on a standardised employee management form, accessible through Gail Industries’ employee on-boarding system (known as GEO). All requests must be approved by departmental management. Administrative access to the badge access system is restricted to authorised IT personnel.
Upon termination (voluntary or involuntary), IT personnel revoke badge access privileges as a task in the termination process. In addition, the IT manager performs a monthly review of badge access privileges to ensure that terminated employees do not retain badge access.
Both entrances into the facility are locked and are monitored by administrative personnel. The receptionist must unlock the door for visitor access. Visitors are required to ring a video doorbell and announce themselves to the receptionist. Visitors sign a logbook when entering the facility, and they are required to wear a visitor’s badge at all times. Visitors must be escorted by an authorised employee when accessing sensitive facility areas such as the mail room and server room.
CCTV surveillance cameras are utilised throughout the facility and server room to record activity. Video images are retained for a minimum of 45 days.
Control Objective 4: Controls provide reasonable assurance that changes to network infrastructure and system software are documented, tested, approved, and properly implemented to protect data from unauthorised changes and to support user entities’ internal control over financial reporting.
Documented change management policies and procedures are in place to address change management activities. Further, there are provisions for emergency changes to the infrastructure and operating systems. Change requests are documented via a change request (CR) form.
CRs include details of the change, including the change requester, the date of the request, the change description, and change specifications. Management, through the Change Advisory Board (CAB), holds a weekly meeting to review and prioritise change requests. During this meeting, management authorises change requests by signing off on the CR form.
Detailed testing is performed prior to implementation of the change in test environments that are logically separated from the production environment. The CAB approves the changes prior to implementation. The ability to implement infrastructure and operating system updates to the production systems is restricted to user accounts of authorised IT personnel.
Control Objective 5: Controls provide reasonable assurance that administrative access to network infrastructure and operating system resources is restricted to authorised and appropriate users to support user entities’ internal control over financial reporting.
Information security policies have been documented and are updated annually to assist personnel in the modification of access privileges to information systems and guide them in safeguarding system infrastructure, information assets, and data. Infrastructure and operating system users are authenticated via user account and password prior to being granted access.
Password requirements are configured to enforce minimum password length, password expiration intervals, password complexity, password history requirements, and invalid password account lockout threshold, as documented in the IT Policies and Procedures Manual.
The CCS application authenticates users through the use of individual user accounts and passwords before granting access to the applications. CCS utilises predefined security groups for role-based access privileges. The application enforces password requirements of password minimum length, password expiration intervals, password complexity, password history, and invalid password account lockout threshold.
Excerpt from IT Policies and Procedures Manual
Version 1.0, 12/31/2016
|12/31/2016||Ken Smith||Version 1.0, accepted by client|
This policy is intended to establish guidelines for effectively creating, maintaining, and protecting passwords at SCOPE.
This policy shall apply to all employees, contractors, and affiliates of SCOPE, and shall govern acceptable password use on all systems that connect to SCOPE network or access or store SCOPE, city of Smallville, or Gail Industries data.
It is the responsibility of the end user to ensure enforcement with the policies above.
If you believe your password may have been compromised, please immediately report the incident to the IT Department and change the password.