Management Information Systems Strategy and Security Risks

Management
Information
Systems
Strategy and
Security Risks
University Student Record System
Report

Group Yiota Members:

Manpreet Chandhok 1136535

Oyediran Oyepeju 1119124
Chisanga Mkasanga 1135484
Joy Das 0419570

Page 1
Contents
1. Introduction ..................................................................................................................................... 2
1.1. Project scope ........................................................................................................................... 2
1.2. Gantt chart............................................................................................................................... 2
2. Requirements Analysis.................................................................................................................... 3
2.1. Software requirements ............................................................................................................ 3
2.2. Hardware requirements ........................................................................................................... 3
2.3. Functional requirements.......................................................................................................... 4
2.4. Non-Functional requirements ................................................................................................. 4
3. Design and implementation ............................................................................................................ 5
3.1. Use case diagram .................................................................................................................... 5
3.2. Entity relationship diagram ..................................................................................................... 6
3.3. Database schema ..................................................................................................................... 6
3.4. Home page .............................................................................................................................. 7
3.5. Add/edit/delete student ........................................................................................................... 8
3.6. Form validation ....................................................................................................................... 8
3.7. Report generation .................................................................................................................... 9
4. Importance of Information Systems Strategy and its Benefits ...................................................... 10
4.1. Maintenance factors .............................................................................................................. 11
5. Interactions of Student Database with the Internal Information Systems ..................................... 12
6. Security and Risk planning for the Student Database ................................................................... 16
6.1. Introduction ........................................................................................................................... 16
6.2. Purpose.................................................................................................................................. 16
6.3. Objective ............................................................................................................................... 16
6.4. Management Information System Overview ........................................................................ 16
6.4.1. The System.................................................................................................................... 16
6.4.2. Target Audience ............................................................................................................ 17
6.4.3. Key Roles ...................................................................................................................... 17
6.5. Risk Assessment.................................................................................................................... 17
6.5.1. Threat Identification and Control Methods ................................................................... 18
6.5.2. Vulnerability Identification and Control Methods ........................................................ 20
7. Conclusion .................................................................................................................................... 24
8. References ..................................................................................................................................... 25
9. Appendix ....................................................................................................................................... 26
 1. Introduction

The primary goal of an IS system is to provide a leverage to the organisation’s strategy

whereby it positively impacts its administrative, operational and the competitive roles
(Henderson and Venkatraman, 1999; Morgan, 2002; Premkumar et al., 1992).

The student database is an integral part of the University’s IS and strategy. A robust student
database successfully fulfils the various demands of allied computer based IS systems and
caters to the interwoven information systems requirements of the University.

Therefore, an IS has become an integral part of all business models. It is an indispensable

aspect of the organisation to overcome competition from the various forces in the market and
to synergise the competitive advantage of the business to a higher level. The modern IS
applications have played a significant role in organisational transformation (Henderson and
Venkatraman, 1999; Luftman and Brier, 1999; Prahalad et al., 2002) simultaneously, provide
feedback to the management to enhance the IS capabilities thereby sustain its competitive
advantage.

1.1. Project scope

The aim of the project is to create a student MIS system. There will be at least two levels of
users. Administrators will be able to add student details i.e. their personal details, previous
qualifications, academic issues and course information. Students, on the other hand, will be
able to view their own record as well as changing them. The admin will be able to generate
three reports just by clicking the buttons.

1.2. Gantt chart

The Gantt chart provides a breakdown of the whole system, from requirement gathering to
testing the system. It gives a realistic view on how well the project is going according to the
plan and if any changes necessary.
2. Requirements Analysis

2.1. Software requirements

 The system will be built using web based technology; Apache as web server,
MySql as database engine, HTML, CSS and Javascript for front end design and
user interface.
 The only language it supports is English at the moment.
 Bootstrap (available at http://twitter.github.com/bootstrap/) and Jquery (available
at http://jquery.com) will be used for enhanced user experience.
 A modern web browser with Javascript enabled.

2.2. Hardware requirements

 Internet enabled PCs, laptops and smart phones

 Windows 7/8/Vista, 512MB RAM, 2GB HDD
 Mouse
 Keyboard
2.3. Functional requirements

 Forms have to be validated before submission.

 Admin cannot add an additional course for a student before his/her current course
expires.
 Only admin will be able to add/edit/delete course and other information.
 Students are able to edit only their own personal details.
 Students can’t view any other student account apart from their own.
 All pages are authentication enforced so only logged in and authorised users will
be able to view the pages.
 Admin should be able to generate at least three reports.

2.4. Non-Functional requirements

 All fields must be highlighted if they are not validated properly

 The navigation has to be easy and user friendly.
 The page load will be fast enough to access with a moderate internet
connection.
 The sections of the website will be well structured.
 Sensitivity of the system
 Ambiance of appearance, font, colours
 Performance of system
 Easy to use & recall
 Back up of data & records
 Upgrading options of the system
 Expandability of the system
 3. Design and implementation

3.1. Use case diagram

This use case diagram is used to gather ideas about some of the functionalities of the system.
Not all of the functionalities were implemented but it shows the future scope of the system.
Once the database fields were decided, the normalisation process was done and the entity
relationship diagram was produced.
 3.2. Entity relationship diagram

3.3. Database schema

Once the entity relationship diagram is produced, the appropriate tables and their attributes
are created in the MySql database. Below is a screenshot of the database schema.
Figure 1: Database schema taken from MySql

3.4. Home page

The home page or index page of our project is a login page which works as a gateway for
all other pages. Anyone who is not logged in and tries to access other pages will be
redirected to the home page. Also any unauthorised access will be denied and redirected
to this page. Username and password is required field and from the dropdown, students
and administrators will choose their corresponding user group to log in to the system.

Figure 2: Screenshot of homepage

 3.5. Add/edit/delete student

Administrators have access the right to add students. They can also edit any student details as
well as deactivate/reactivate a student account for any valid reason. Students, however, are
authorised to edit their personal details only. If they try to edit other details either own or
other students’, they will not be able to do so.

3.6. Form validation

All forms come with validation check. So any required field has to be filled in before the
form gets submitted. Fields will be highlighted if they fail validation. Apart from required
fields check, there are other forms of validation including valid email check and custom
validation rules, for example, a course start date for a student date can only start if he/she is
currently not doing any course.

Below are some of the screenshots of validation in action.

 3.7. Report generation

The system allows an administrator to generate three reports just by clicking some predefined
links. The links are located in the top menu and once clicked; the appropriate report is
generated and shown on screen. Below are the screenshots of three reports.

Figure 3: Report of students started course before 25-06-2012

Figure 4: Report of units of BSc in Computer science

Figure 5: Report of all academic issues of students registered in October 2011

 4. Importance of Information Systems Strategy and its Benefits

In considering the benefits of a student oriented management information system (MIS), we

will discuss what is known as the Information Systems Strategy Triangle. This triangle relates
business strategy with IS strategy and organisational strategy (Keri, P, Carol, S 2009).

Strategic management of information systems tells us that “Successful firms have an

overriding business strategy that drives both organisational strategy and IS strategy. The
decisions made regarding the structure, hiring practices, and other components of the
organisational strategy, as well as decisions regarding applications, hardware, and other IS
components are all driven by the firm’s business objectives, strategies and tactics. Successful
firms carefully balance these three strategies they purposely design their organisation and IS
strategies to complement their business strategy” (Keri, P, Carol, S 2009 p.23).

From this we can see the importance of linking the three strategies to have a successful
organisation. In creating the student MIS, we had to consider the objectives, purposes and
goals of the university i.e. its business strategy, to then create a IS strategy (Keri, P, Carol, S
2009). Strategic management of information systems defines a business strategy as “a plan
articulating where a business seeks to go and how it expects to get there” (Keri, P, Carol, S
2009).

IS strategy is the plan the organisation uses in providing information systems and services
and must then compliment the business strategy (Keri, P, Carol, S 2009).Both the
organisational strategy and IS strategy complement each other and would have to be
considered when creating or changing the business strategy as new techniques are introduced,
which could then further determines where a business goes for example the introduction of an
MIS to the business. The student MIS is what is known as an e-business. In the management
Information Systems book it is defined as “the use of internet technologies to work and
empower business processes, e-commerce, and enterprise collaboration within a company
and with its customers, suppliers and other business stakeholders” (James, O, George, M
2011 p.46) The student MIS has a web interface that allows users of the system to log in
access information through as web browser.

A student oriented MIS for the university would be beneficial in many ways.

 The university would be able to speedily capture the exact and accurate details from a
large number of students who join various courses. This data would then be added
into the university’s database and with the help of the MIS, this data would then be
converted into valuable information for both staff and students of the university.
(Source of Information and communication)

 An administrator (staff) would have full access of the MIS unlike the student. The
administrator would be able to add, remove or modify details of students making it
easier to manage information held about students. (Access rights)
 Staff would also benefit from the University MIS by being able to carry out searches
in the databases which would generate valuable information needed. For example if a
member of staff needs to find out which student studied a particular course, the MIS
would then generate a list of the students that fit that criteria. (Annual reporting)

 The student MIS would support the processes and operations of the university, the
decision making by the employees and managers and also strategies for competitive
advantage (James, O, George, M 2011). (Marketing function)

 The student MIS is also beneficial to the student. The student will be able to log in a
find out valuable information stored about him/her, make any changes in some parts
of that information if need be, view modules taken in their course and view their
results. The student would not have to follow up different lecturers just to find out this
information, he/she simply logs into the MIS and get what they need. (Student
access)

 The MIS would help the university with decision making in many ways. They would
be able to know how many students were enrolled on a particular course, compare
which courses had more students, be able to know how many students were enrolled
in that year and compare if they have more students than the years before that.
(Admin enrolment metrics)

 The MIS would keep an up-to-date record of the fees and payment details to maintain
a complete accounting system that enables easy and confidential access to the finance
of the university. ( Finance)

4.1. Maintenance factors

 The university database is designed to capture vast data that also includes the
various types such as character, number, Boolean and other types of data.

 A good database has to ensure the possibility of maintaining these types of data,
sustain the possibility of this data being queried for various reports.

 Data maintained in the data base is used to generate financial reports and reporting
into the annual financials of the University. Therefore a very dire need for data
security.

 A maintenance plan for the database is essential and would include either real time
or scheduled timely back up to ensure un-interrupted access to the data without
any outage and as a fall back in case there is a problem with the main database.
  Student feedback about the database could be used to improve the system in
future.

5. Interactions of Student Database with the Internal Information

Systems

The student Management Information Systems developed in this project highlights the
importance of Management Information Systems in a University student record system.
According to Jun, H, & King, W (2008) since computing has become part of business, the
importance of Information System Development (ISD) has also taken priority among the
users.

The Student MIS so developed in this project interacts with the other Information Systems
that are also functioning in the University and share information with the student Information
System.

The other information systems in the University include:

1. The Transactional Processing System

2. The Management Reporting System
3. The Decision Support System
4. The Executive Information System
5. The Office Information System

Student MIS

The The
The Decision The Executive The Office
Transactional Management
Support support Information
Processing Reporting
System (DSS) system (ESS) System (OIS)
System (TPS) System (MRS)
of University of UNiversity of University
of University of Unioversity

The diagram above shows the interaction of Student MIS with other IS in the University.
1. The Transactional Processing System (TPS): TPS is that system that is used in the
on-line mode and immediately impacts the backend with the updated data that was
input. The student database is a vital source to this system, as any information about
the student is immediately updated in this system. The database developed has the
capability of integrating with the transactional processing system. E.g.: the updating of
address update, post code update etc.
However, studies in this field of TPS have revealed that transactions performed by
humans is error prone and therefore, there is a scope of automating the process with
the use of natural language processing techniques.

Ochodek, M, Alchimowicz, B, Jurkiewicz, J, & Nawrocki, J (2011) Human-

performed transaction identification is error prone and quite subjective. Its reliability
can be improved by automating the process with the use of natural language
processing techniques.

2. The Management Reporting System (MRS): The MRS system necessarily takes the
inputs from the Student Information System to take inputs to generate reports. Whilst
extracting the report about the all students who registered after October 2011, the MRS
accesses the information from the student MIS system.

Example: Reports such as, the number of students who joined in the month of October,
the number of students who have opted for BSc computer science etc. can be retrieved
using the MRS.

3. The Decision Support System (DSS): The student MIS is an input to the DSS system
of the university which is the core system and helps the top management to take
decisions based on the input from the student MIS.

A good example would be the running of the” i-grad survey” and based on the
answers in the student MIS. Once this information is processed by the DSS, the
management can review it and take necessary decision.

4. The Executive support system (ESS): This system helps in providing the top
management a global picture of the performance of the University. It helps the top
management draw summarized reports and in charts and other summarized forms.

A good example of this can be sighted in the metrics displayed for overall pass
percentage of the students across various courses in the semester.

5. The Office Information System (OIS): This system takes its input from the student
MIS. The OIS system updated by the office and faculty team with the relevant details
for each of the student.
 A good example could be cited in the process of updating of attendance of Students by
the office. The updating of grades in the Student MIS by the tutors also comes in this
category of IS systems.

The figure below shows the various functions that are impacted by the Student MIS system in
the University:

Cross-functional nature of business processes (Keri, P & Carol, S 2009)

Levels of Interactions of the Student MIS system in the organization:

The student database system forms the base of the University’s Information System model.
The student database provides the inputs to the various IS that are used in the daily activity at
the university. The hierarchical stacking of the use of IS in the university is as seen below:

1. Operational Level used by accounting, finance, administration etc teams

2. Knowledge Level used by the teaching staff
3. Management Level used by the middle management to draw reports
4. Strategic Level used by the senior management to take decisions
The above diagram shows the hierarchy of IS and the group served [11]

Utilisation of student database information by various other IS in the University. This

information is utilized by the other IS to perform the following activities:

•Accounts •Fees received from •Information to decide the

Computers science stundets start of New course
Finance •Overall attendence of • Change of Units in course to
Adminstration Computer science stundents suit Industry requirements
•Library •Feedback from CS stundets • Acertain popularity of a
course
Security Access

TPS MRS DSS

•The ranking of the University •Salary to employees at

based on the pass percentage University
•The popularity of University • Overall attendence in various
based on survey results across courses
UK •Assets in University and
allocation to stundents

ESS OIS
The above diagram shows the various working modules in each IS in the University.
 6. Security and Risk planning for the Student Database

6.1. Introduction

Stoneburner, Goguen and Feringa (2002) stress that risk is the resulting impact of the adverse
of vulnerability, considering both the probability and the impact of occurrence. Risk
management is the process of identifying risk, assessing risk, and taking steps to reduce risk
to an acceptable level.

However, risk mitigation of the Management Information System refers to prioritizing,

implementing, and maintaining the appropriate risk-reducing measures recommended from
the risk assessment process.

6.2. Purpose

The sole purpose of this report is to help administrative users of the university student record
system to better mitigate identified and other related risks of Information Systems by
providing the definition and appropriate the practical guidance necessary for risk assessment
and mitigation. This report provides information on the selection of applicable risk mitigation
plan and cost-effective security controls which can be used to mitigate risk for the protection
of information and the system in itself in the event that the system should fail, or be out of
action for a period of time.

6.3. Objective

The objective of performing risk mitigation is to enable the university to accomplish its
mission(s) by adequately protecting its IT systems and data as well as allow management in
effective decision making on IT systems operations, control and procedures.

6.4. Management Information System Overview

6.4.1. The System

The University Student Record System is a Management Information System that ensures
and supports the collection, processing and storing of student information in an efficient
manner. Information for the student will be entered into the system from the student
registration user interface which has been developed with HTML/CSS along with PHP
scripting and MySQL for the back end/database implementation.
 6.4.2. Target Audience

This report will serve as a system’s security guide for the technical and non-technical
personnel of the University of Bedfordshire who use the student record system for
information processing. These personnel include network, system, application and database
administrators; Chief Information Officer; senior management of the university and
appropriate academic staff.

6.4.3. Key Roles

The key roles of the principal players who should support and participate in the risk
mitigation process are:

System Administrator. The system administrator in the context of this project may also be
regarded as the database administrator and or the Chief Information Officer. His roles will
include:

 Registering, granting privilege access level and issuing login credentials to other users
of the system who will participate in the risk mitigation process
 Registering students by inputting their personal details, academic qualifications, student
proposed course information, study details and sometimes academic issues for students.
 Managing the database as well as protecting it.
 Performing data back up on a regular basis.

Academic Staff. The appropriate academic staff who will participate in the risk mitigation
process which may include the teaching staff, student support staff and the finance team.
Their roles in no particular order will include:

 Recording academic issue for student

 Recording student result
 Processing and managing student payment.

6.5. Risk Assessment

A risk assessment has been conducted to determine the likelihood and magnitude of the
potential threat and risk associated with the student record system and data. This analysis is
grouped into threat identification and vulnerability identification along with their
recommended control methods.
 6.5.1. Threat Identification and Control Methods

The following are identified threats to the student record system and data that could
potentially cause the system to fail or be put out of action for a period of time if not eternally.

1. Application Instability. Since systems are prone to instability, likewise the applications
that enable the functions and operations of the system. The Apache web server being
implemented for the database is likely to become unstable due to obsolete version,
changing system hardware, bugs or user maladministration.

 Continuity of support from application developer or company

Preventative Controls

 System or application security procedures

 Application training for users
 Data backups

2. Hack Attack. The system is prone to malicious attacks, system intrusion, break-ins and
unauthorized system access from hackers and crackers.

 Periodic review of security controls

Preventative Controls

 System authorization and reauthorization

 Communications firewall (e.g. dial-in, system interconnection, routers)
 Data cryptography
 Intrusion detection
 System audit

3. Insider Attack. Sensitive information stored in the system is prone to insider attack. An
insider can be identified as disgruntled users such as staff or even students. The
likelihood of such attack and magnitude of damage will depend upon the attacker’s
motivation e.g. for monetary gain or determination to avenge people or the university.

 Personnel clearance and background investigations

Preventative Controls

 Periodic review of security controls

 Discretionary access control
 Identification and authentication
 Intrusion detection
 System audit
4. Environmental Threat. This threat type includes, but is not limited to:

a) Failure of environmental controls, such as air conditioning, chilled water systems,

humidifiers/de-humidifiers, and heating systems.
b) Failure of supporting utilities, such as power and telecommunications.
c) Failure of automated or manual fire and smoke suppression controls, to include both
the failure to work when required and the false activation when not needed.
d) Inappropriate or inexplicable behaviour of systems and applications due to design
flaws creating a denial of service or other vulnerability.

Preventative Controls
 Control of air-borne contaminants (smoke, dust, chemicals)
 Facility protection (e.g. computer room, data centre, office)
 Humidity control
 Temperature control

5. Natural Threat. This type of threat includes the inevitable acts of nature such as earth
quake, hurricane, and flood. The magnitude of the impact of any of these threats to the
system – network or storage equipment could prove to be disastrous and possibly put the
system out of action for a period of time.

 Incident response capability

Preventative Controls

 Facility protection (e.g. computer room, data centre, office)

 Asset insurance
 Distributed storage or off-site data back up

6. Physical Threat. The equipment that support both the deployment and operations of the
student record system such as personal computers, network equipment, data storage
facility are likely to be subject to physical attack like fire, theft, vandalism.

 Facility protection (e.g. computer room, data centre, office)

Preventative Controls

 Equipment access control

 Fire alarm installation

7. Social Engineering. Users with privileged access to the system are liable to
manipulation or divulging confidential information to potential attackers by means of
phishing, baiting and tailgating.

 Identification and authentication

Preventative Controls

 Security and technical training

  Separation of duties
 System authorization and reauthorization
 Installation of antivirus and antimalware

8. Network Downtime. Network breakdown either associated with fault on the Internet
Service Provider (ISP), server downtime, attack or damage on network equipment could
cause temporary or prolonged communication failure in the system if not properly
managed.

 Humidity control on network equipment

Preventative Controls

 Temperature control on network equipment

 Communications redundancy (e.g. network interconnection, spanning tree protocol)
 Hardware protection (e.g. routers, hubs, switches, cables)
 Alternative network selection

9. Power Outage. Power failure could occur at anytime therefore cause the system to be
unavailable to users.

 Installation of Uninterruptible Power Supply (UPS)

Preventative Controls

 Back-up power generation

 Controls to ensure the quality of the electrical power supply
 Switch from automatic to manual process

6.5.2. Vulnerability Identification and Control Methods

The following are identified as threats that pose serious exposure to the internal and external
security controls of the university student record system and its data.

Vulnerability Preventative Controls

1. Accounts with system privileges Security training for users.
where the default password, such as Auto detection of weak and common passwords.
“ADMIN”, has not been changed Password encryption.
2. Terminated employees Revoke terminated employees' system
credentials.
3. Programs with unnecessary Continuity of support from application company.
privileges or known flaws Alternative sourcing.
Installation of antivirus.
System or application security plan.
4. Weak access control settings on Periodic review of security controls.
resources Data media access and disposal.
 Discretionary access control.
5. Weak firewall configurations Intrusion detection.
Setting up of demilitarized zone.
System audit.
6. Misconfigured devices Technical training for users.
Continuity of support from Device manufacturer.
7. Poor user training Security and technical training.
Comprehensive and accessible security manual.
Above is the Vulnerability Identification Table

1. Risk Response Strategies

There is security concern where vulnerability exists in the system. The impact of occurrence
of any attack could cause the following security concerns combined or independently.
 Disclosure of information
 Data modification
 Unavailable resources
 Identity spoofing
 Lost revenue
 Damaged reputation and
 Theft of equipment.

Therefore the threats and vulnerabilities identified above need to be addressed with
appropriate risk response strategies to ensure risk mitigation and security of the system and
its data.

The response strategies [1] to be considered are:

1) Risk Acceptance. To accept the potential risk and continue operating the IT system or
to implement controls to lower the risk to an acceptable level.

2) Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence
(e.g. forgo certain functions of the system or shut down the system when risks are
identified)

3) Risk Limitation. To limit the risk by implementing controls that minimize the
adverse impact of a threat's exercising a vulnerability (e.g., use of supporting,
preventive, detective controls)

4) Risk Transference. To transfer the risk by using other options to compensate for the
loss, such as purchasing insurance.
The table below presents an overview of identified risks, their likelihood rating, impact level
and corresponding response strategies.

Identified Risk Category Likelihoo Impact Response

d Rating Level Strategy
Application Instability Threat Low Low Limit
Hack Attack Threat High High Limit
Insider Attack Threat Medium Low Avoid
Environmental Threat Threat Low Low Limit
Natural Threat Threat Low High Transfer
Physical Threat Threat Medium Medium Limit
Social Engineering Threat Low Medium Limit
Network Downtime Threat High High Accept
Power Outage Threat Low High Limit
Weak Password Vulnerability Low Medium Avoid
Terminated Employees Vulnerability Low Medium Limit
Flawed Programs Vulnerability Medium Low Limit
Weak Access Control Vulnerability Medium Medium Limit
Setting
Weak Firewall Vulnerability High Medium Limit
Configuration
Misconfigured Devices Vulnerability Medium Low Limit
Poor User Training Vulnerability Medium Medium Limit
Above is the Risk Response Strategy Table

Likelihood Definition
High The threat-source is highly motivated and sufficiently capable, and controls to
prevent the vulnerability from being exercised are ineffective. [1]
Medium The threat-source is motivated and capable but controls are in place that may
impede successful exercise of the vulnerability. [1]
Low The threat-source lacks motivation or capability, or controls are in place to
prevent, or at least significantly impede the vulnerability from being exercised. [1]
Above is the Likelihood Definition Table

Impact Definition
High Exercise of the vulnerability (1) may result in the highly costly loss of major
tangible assets or resources; (2) may significantly violate, harm, or impede an
organization’s mission, reputation, or interest; or (3) may result in human death or
serious injury. [1]
Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or
resources; (2) may violate, harm, or impede an organization’s mission, reputation,
or interest; or (3) may result in human injury. [1]
Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or
resources or (2) may noticeably affect an organization’s mission, reputation, or
interest. [1]
Above is the Impact Definition Table

2. Control Analysis

A control analysis was conducted to assess the existence and implementation of technical,
operational and management security controls. The general areas to be addressed include:

 System/data access controls

 System/data integrity controls
 Operating system implementation
 Auditing capabilities
 Security management procedures and controls
 Network security controls
 Disaster recovery

The following system or application security controls are analyzed:

1. Technical controls – according to Stoneburner, Goguen and Feringa (2002) are those
safeguards incorporated into computer hardware, software or firmware. They include:

Security Controls - Technical Current Status

1. Antivirus software Existent
2. Identification & Authentication mechanisms Existent
3. Firewalls Existent
4. Encryption Existent
5. Audit trails Non-existent
6. Backups Non-existent
7. Intrusion detection systems Non-existent
8. Access control mechanisms Non-existent

2. Operational controls - are those operational procedures, personnel and physical security
measures established to provide an acceptable level of protection for computing
resources and include:

Security Controls - Operational Current Status

1. Security awareness and training Non-existent
2. Disaster recovery, contingency, and emergency plans Existent
3. Background investigations Non-existent
4. Security reviews and audits Non-existent
5. Separation of duties Non-existent
3. Administrative and Management controls - are those security measures that focus on
the management of the system and risk. These measures include:

Security Controls - Management Current Status

1. Security reviews and assessments Existent
2. Risk assessments Existent
3. Rules of behavior Existent

7. Conclusion

The creation of the university student record system from requirement gathering stage to
design, implementation, testing, documentation as well as maintenance has proved beneficial
to the team members. We have learnt valuable techniques that are used in producing a
functional Management Information System. Also we have been able to demonstrate the
complex and intricate relationship between business, organisational and information systems
strategies. The proposed system will ensure efficient data collection and the security of the
system.
8. References

1. Jun, H, & King, W 2008, 'The Role of User Participation in Information Systems Development:
Implications from a Meta-Analysis', Journal Of Management Information Systems, 25, 1, pp. 301-331,
Business Source Premier, EBSCOhost, viewed 3 December 2012.

2. Ochodek, M, Alchimowicz, B, Jurkiewicz, J, & Nawrocki, J 2011, 'Improving the reliability of

transaction identification in use cases', Information & Software Technology, 53, 8, pp. 885-897,
Business Source Premier, EBSCOhost, viewed 3 December 2012.

3. Henderson, J.C. & Venkatraman, N., 1999. Strategic alignment: leveraging information technology for
transforming organizations. IBM Syst. J., 38(2-3), 472-484.

4. Luftman, J. & Brier, T., 1999. Achieving and sustaining business-IT alignment. California Management
Review, 42(1), 110.

5. Keri, P, Carol, S (2009) Strategic management of information systems. 4 th ed. Asia : John Wiley &
Sons

6. James, O, George, M (2011) Management information systems. 10th ed. USA : McGraw-Kill
7. Stoneburner G., Goguen A. and Feringa A. (2002) Risk Management Guide for Information Technology
Systems. NIST Special Publication 800-30. [Online] Available at: csrc.nist.gov/publications/nistpubs
(Accessed: 26 November 2012).

8. U.S. Department of Transportation (2012) Office of International Programs: Risk Mitigation and
Planning. Available at: http://international.fhwa.dot.gov/riskassess/risk_hcm06_05.cfm (Accessed: 26
November 2012).

9. piphaniou, G. (2011) 'Week 2: Computer Security'. Principles and Elements of Security. [Online].
Available at: http://breo.beds.ac.uk (Accessed: 26 November 2012).

10. Goodchild, Joan (2010). 'Social Engineering: The Basics'. What is social engineering?. Wikipedia.
[Online] Available at: http://www.csoonline.com/article/514063/social-engineering-the-basics.
(Accessed: 26 November 2012).
 9. Appendix

Login Design Interface

Welcome to the Student Record System
Students should login using their Student Number as their [Username] and Date of Birth as their
[Password] in the format ddmmyy. Staff will be supplied with a username and password on
submission of an approved access request form.

Enter your username and password

Login as <Admin/Student>
Username
Password
Login
Forgot password
*if logged in as
Admin
You are logged in as Admin Logout

Register new student take to registration page

Generate enquiry and/or edit using the following search criteria
Select * by Date of Entry: ?? Select * by Department Order by Last name

Select Events by Date of Entry: ?? Select * by Student number

Report/Result

*if logged in as
Student
Welcome [Student name] Logout
Student Overview

Personal Details Course Information

Study Details

Edit

Academic Issues & Activities Financial Statements

Print Assignment Topsheet

Academic Results Print Results

Created: 27/10/2012
Registration Design Interface
A. Personal Details
First name Last name
Address Postcode
Telephone Email
Date of birth *calendar script Passport no.
B. Education Details / Academic Qualifications
Programme of Study Start Date End Date Date of Award Name of Qualification
(mm/yyyy) (mm/yyyy) (mm/yyyy) Institution

Clear selected Add more fields

C. Student Course Information
Department <build list>
Course title <build list>
Qualification <Undergraduate/Postgraduate/Research>
*show if PG/Res. selected . Term <Full Time/Part Time>
*show if UG selected. Level <UG Year 1/UG Year 2/UG Year 3>
Award name
Date of Entry

D. Study Details / Course Modules

Department Unit (auto) Semester Year Unit Code (auto) Grade

Clear selected
Add more fields
E. Academic Issues

No recorded event for this student.

Record new event

Event type <Advice/Mitigation/PAD>

Date of appointment

Staff consulted

Resolution/Suggestion

Submit
Entity Relationship Diagram
Data Normalisation
Unnormalised Data (UNF) of the ER Model
 Student First_name, Last_name, Telephone, Address, Post_code, Date_of_birth, Email, Password,
Qualification, Institution attended, Date_of_award, Proposed Course_title, Start_date,
Department_name, Unit_name, Degree_type, Event_type, Date_of_appointment,
Staff_consulted, Comment

First Normal Form (1NF) of the ER Model

 Student_id, First_name, Last_name, Telephone, Address, Post_code, Date_of_birth, Email,
Password
 Student_id, Qualification, Institution, Date_of_award, Course_id, Course_title
 Course_id, Course_title, Start_date, Department_name, Unit_id, Unit_name, Degree_id,
Degree_type
 Student_id, Event_type, Date_of_appointment, Staff_consulted, Comment

Second Normal Form (2NF) of the ER Model

 Student_id, First_name, Last_name, Telephone, Address, Post_code, Date_of_birth, Email,
Password
 Student_id, Qualification, Institution, Date_of_award, Course_id
 Course_id, Course_title, Start_date, Department_id, Department_name, Degree_id
 Degree_id, Degree_type, Level
 Unit_id, Unit_name, Semester, Year, Grade, Course_id
 Course_id, Unit_id
 Student_id, Event_type, Date_of_appointment, Staff_consulted, Comment

Third Normal Form (3NF) of the ER Model

 Student_id, First_name, Last_name, Telephone, Address, Post_code, Date_of_birth, Email,
Password
 Student_id, Qualification, Institution, Date_of_award, Course_id
 Course_id, Department_id, Course_title
 Department_id, Department_name
 Student_id, Unit_id, Semester, Year, Grade
 Unit_id, Course_id
 Unit_id, Unit_name
 Student_id, Course_id, Start_date, Degree_id
 Degree_id, Degree_type, Level
 Student_id, Event_type, Date_of_appointment, Staff_consulted, Comment
Figure 6 Admin dashboard view
Figure 7: Student units view

Figure 8: Database tables in phpmyadmin

Figure 9: Student's details from admin viewpoint
Figure 10: Student's view from his/her viewpoint