The Cathay Pacific Airways Information Technology Essay

The chinaw be Pacific Air slipway selective training Technology EssayThis report comprises completely the relevant reading regarding the chinaware Pacific Airways, specially its protective cover measure presidential term manakin. It sums up intravenous feeding p crafts natural coveringground of the organization, potential areas of IT aegis disappointments, recommended IT trade protection g e trulywherenment framework and passly issues and argufys faced by that trade protection measure brass instrument framework. In the very first part, we bear described about underlying wakelesss kindred its headquarter, its fleet of airbuses, worldwide destinations and its achievement.In the 2nd element of the report are the specific areas where bail measures failures whitethorn occur. These areas accept managing nucleus tune system. Be pay off the airways adopted the legacy systems, which is easily susceptible to protective covering threats. secondly it fecal matt er not cope with authentic competent requirements. Further more(prenominal), it being a wide infra social system desktop PCs, the airways data flow over lucre, which can be captured by any intruders or hackers. This may cause disruptions to routinely business. Its business to business (B2B) interchange of data again creates vulnerabilities in its IT understructure. The pervasiveness of profits creates a more open set of info systems for the mobile and diverse contain of the orgnaisation. This mobile arrangement may be easily attacked by natural and external inaugurations. In the third part this report discourses on IT arrangement framework. This framework is the recommended one to be implemented in the organization. The structure of disposal is richly responsible to provide control and sound heed of the IT bagful aegis. In the structure separately one is responsible at his own rank for the security, safety of IT assets and data encourageion.Lastly this report ra ises various issues and challenges confronting the security governance structure while managing and controlling the security of the IT basis of chinaware Pacific.INTRODUCTIONToday, each organization adopted or is cerebration to adopt IT infrastructure. Once it is implemented, it needs security. IT assets, database and nurture trafficking on ubiquitous communicate need to be fully protected. That is why a necessity relating to this IT infrastructure in an organization has cropped up. For safety and security, security governance has been thought of. It may comprise shareholder, board of directors, CIO, financial manager and so on. These persons are fully responsible for controlling and streamlining all the information system of the organization like mainland China pacific. This governance framework follows various new laws and regulations designed to throw better the security governance. Threats to information systems disruptions from hackers, worms, viruses and terrorists s quander resulted in need for this governance. This report explains all the way security failures, governance framework for ICT and IT cerebrate issues and challenges.BACKGROUND OF ORGANISATIONCathay Pacific Airways is an international skyway registered and ground in Hong Kong, offering schedule cargo and passenger operate to over 90 destinations around the world. The master(prenominal) vision of this company is to make Cathay Pacific the most admire airline in the world. To Achieve this goal Cathay started its journey from 1946 and straight it is distinguishn as best Airlines in Asia. It is one of the five airlines to displace a five star rating from Skytrax (Cathay Pacific 2007). The official electronic networksite of Cathay Pacific is http//www.cathaypacific.com/cpa/en_INTL/homepageCathay Pacific was established in 1946 in Hong Kong with a mere two DC-3 aircrafts servicing passenger routes for Bangkok, Shanghai, Manila and Singapore. From its waypirited beginnings, it has to date grown into a world class airline employing over 15,000 employees and r severallying out to 62 worldwide destinations. It owns over a flierinal widebodied aircrafts that transports over a million passengers a month to almost each continent in the world (McFarland Young, 2003) and transports freight worldwide which constitutes to nearly 30% of its revenue. Profits stood at $511 million during 2002 and Cathay expanded into the state of the art $628 million global headquarters in Cathay City. Cathay perpetually faced numerous challenges on its way to success. Nevertheless, its watchfulness ac get alongledges the fact that in order to remain competitive given the current market event it is of utmost importance to improve on its strategical and non strategic survey of its entire ICT resource. Cathay Pacific continues to invest in new ICT infrastructure to streamline its business attend toes and make information easier to access for all employees. As part of this proc ess, Cathay Pacific implemented technology solutions designed to automatise and simplify customer and financial information heed.POTENTIAL AREAS OF IT SECURITY FAILURESCurrently, legion(predicate) airlines are looking at e-business to protect their assets and to secure customers loyalty, and to be self-made in immediatelys competitive environment. Many e-commerce principles have been pioneered by the airline industry. These include the first business-to-business electronic information exchange and industry-wide electronic marketplace. There are numerous another(prenominal) benefits to be gained for airlines and airline passengers, E-ticketing, e-Check in numerous meshing base services provide to customer with quick and low cost services but on that point is smooth hesitation among numerous peoples even many companies about committing any major(ip) effort to electronic commerce. The main attention about security of sensitive data, such as credit card numbers, personal da ta and business confidential data (Jiang 2003).Managing Core chore SystemCathay Pacific has been developing in house systems since the 70s. roughly of its core business systems are accounting systems, engineering system, personnel and leak systems and other internal applications. Legacy systems are systems that have modernized over many years and are considered irreplaceable, either because re-implementing their function is considered to be too valuable or because they are institutionalizeed by users (Dietrich 1989). blood change ever in order to meet the demands of the marketplace and this necessitates the need for information systems to evolve accordingly (McKeen Smith 1996). Over 20 years later, Cathay agnize that the coordination and support of these systems was a cumbersome task that could potentially stunt the strategic emergence of the company. Given its phenomenal growth rate, Cathay realized that the IM division leave behind not be able to cope with the ever ev er-changing business requirements. Legacy passenger service systems may not be flexible and scalable enough to support the new marketing strategies of airlines today (Cavaliere 2006). Cathay needed a technology that keeps costs down and is flexible whilst at the same time delivers on both todays needs and those of the future. Customizing current legacy systems to match these current competitive requirements just consumed too a good deal time and resources. Mckeen and Smith (1996) further argues that since change is a constant in business and in technology, demand for maintenance is un-easing and since lively systems are the ones direct the business, maintenance work can easily overwhelm new development.Managing intercommunicate infrastructure desktop PCs.Infrastructure plays an important role in ensuring merry support is supplied to systems development teams and that legal coordination and direction is open to IS as a whole (McKeen Smith 1996). Cathays rapid expansion to n ew destinations and tremendous pant in route expansion, passenger and cargo volume in the 80s caused Cathays meshwork infrastructures to continue to expand. Without infrastructure, productivity will soon decline as individuals and groups each attempted to replicate the work of others. Cathays data center which coordinated fundamental airline trading operations was placed in two locations in Kowloon and on Hong Kong Island. These data centers provided uninterrupted information to Cathays airline operations. The fire in 1991 on Cathays data center interrupted flight operations for 12 hours. Cathays perplexity realized the importance of ensuring uninterrupted information flow to vituperative business functions is top priority for the organization. IT infrastructure and facilities need grow in tandem with the organizations growth pace. Almost full at its operational capacity at its current data center, Cathay probably needed a a a couple of(prenominal)(prenominal) more data cent ers to manage the organizations information at current growth rate. Mid 90s saw an uneven PC distribution at Cathay Pacific. PC distribution to staff members depended on each staff members aim of security access. This caused some of the staff to have a PC while other did not. This uneven distribution was finally rectified by Cathays outsourcing its PC management to IBM in 2001. The costs subscribed in outsourcing these services means that more scrupulous attention will be paid to their foster on an ongoing basis. Nevertheless, the outsourcing exercise posed its own complexity involving ironware and software package licensing issue. Managing dynamic changes in desktop environment and the suppliers was the main challenge in the desktop PC management for Cathay. The PC outsourcing trend was still new in this region thus raised skepticism among managers in the initial stage.Managing B2B system integrationIn a broad sense, Business to business (B2B) integration refers to all busine ss activities of an enterprise that have to do with electronic messages exchange between it and one or more of its duty partners (Bussler 2003). Bussler further narrows down this definition in a software technologys kitchen stove that B2B integration refers to software technology that is the infrastructure to connect any back end applications system within enterprises to all trading partners over titular message exchange protocols like the Electronic Data Interchange (EDI). Cathay is naturally in a highly competitive and challenging airline business. Fundamental flight operational information can be very dynamic and customers must be kept updated with the latest information. instruction, fares and schedules have to be accurate sales promotions and marketing activities are constantly changing. Flight operations are vulnerable to any changes in weather which may cause last minute schedule changes or cancellations. With the wide array of ten-fold destinations, languages, time zone s and alerting travelers, an airline business is constantly a logistic operations challenge to any Cathay. These information need to be translated into online web content in order to fulfill its B2B requirement. instruction has to be accurate, the selling channel has to be reliable and secure, changes have to be updated quickly and last minute flight disruptions have to be communicated to passengers immediately and consistently by a number of different channels. Such an e-business vision has required a sophisticated architecture of specialist platforms designed to integrate and deliver a number of different information and application components in a broadloom manner. Content management is one of the core components in Cathay Pacifics e-business architecture. It was live for the airline to tick off that it invested in the right product that could deliver its yell within budget and on time.Managing monetary standardsAs the pervasiveness of network create a more open set of in formation systems for the mobile and diverse need of the organization, augmentd attention must be paid to the corresponding increase in exposure to attacks from internal and external sources (Dhillon, 2001). Cathay uses Secure Socket layer (SSL) protocol as an industry standard for encryption over the Internet, to protect the Data. Cathays main challenge to date is not being able to incline its partners and customers with confidence that despite with the most recent security standards, any internet transaction could be leaked out by individuals through internet hacking. This is adjudge in its website claim which says that complete confidentiality and security is not yet assertable over the Internet, and privateness cannot be assured over all its internet communication between the business and its customers (Cathay Pacific 2007). Cathay pacific in ensuring reliable B2B applications has to ensure that the latest standards such as XML and open source technology are used extensive ly in all its software applications critical to business. Digital certification for all online transactions especially the ones that involve monetary exchange is imperative in ensuring customer confidence and to keep off security breach.RECOMMENDED IT SECURITY GOVERNANCE FRAMEWORKThere are many definitions that describe the ICT merged administration. Here I choose a few interesting definitions to be discussed in this report. embodied Governance of ICT is Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. (Weil Ross, 2004) In contrast, the IT Governance embed, 2003 expands the definition to include underpinning mechanisms the leadership and organizational structures and processes that ensure that the organisations IT sustains and extends the organisations strategies and objectives. firearm AS8015, the Australian Standard for corporate Governance of IT, defines Corporate Governance of IT as The system by which the curre nt and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organization and monitoring this use to achieve plans. It includes the outline and policies for utilize IT within an organization.Figure 1 AS 8015 2005 model of Corporate Governance of ICT(Source Skinner, 2006)Every definition has its own way of describing the term Corporate Governance of IT but I think the definition of the AS8015, the Australian Standard for Corporate Governance of IT is the most understandable and clearly defined (see throw 1). AS8015 clarified whats really important the organisations goal (Toomey, 2006). However we can hear that every definition focuses on the same issues which is directing and controlling the death penalty of IT according to the organisations strategy and policies. This involves the contribution in decision making of every stakeholder of the organization. As we can see that the IT Governance show has also verbalise the word Leadership, which stands for the principal of the organization, the board of directors and the management team, who must manage the efficacious use of IT to achieve the strategies and objectives. Unlike old time which the IT system is managed alone(predicate) by the IT department. Talking about the IT Management people may usually mix it up with the IT Governance. They are not the same thing. Governance is the process by which management is monitored and measured. It is not a substitute for management it is a way of ensuring that sound management occurs (Philipson, 2005). There are many get a line drivers for Corporate Governance of IT. Here in this report I will focus on the legal and regulatory compliances which will be discussed in the next part of the report.IT Governance Framework of Cathay PacificInformation security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterpri se governance and be aline with the IT governance framework. Whilst senior executives have the responsibility to consider and respond to the concerns and sensitivities raised by information security, boards of directors will increasingly be expected to make information security an intrinsic part of governance, integrated with processes they already have in place to govern other critical organisational resources. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprises information security program. They need to know how to direct the capital punishment of information security program, how to evaluate their own consideration with regard to an existing security program and how to decide the strategy and objectives of an effective security program. Whilst there are many aspects to information security governance, there are several matters that can assist in focusing on the question, What is information security governance? These are theDesired outcomes of information security governanceKnowledge and protection of information assetsBenefits of information security governanceProcess integration(IT Governance Institute 2006)Figure 2 IT protective cover Governance Framework of Cathay Pacific (Source Poore 2005)Information security governance consists of the leadership, organisational structures and processes that safeguard information. Critical to the success of these structures and processes is effective communication amongst all parties based on constructive relationships, a common language and shared loading to addressing the issues. The five basic outcomes of information security governance should include1. strategical alignment of information security with business strategy to support organisational objectives2. encounter management by executing appropriate measures to manage and mitigate hazards and subvert potential jolts on information resources to an acceptable level3. Resource management by utilising information security knowledge and infrastructure efficaciously and efficaciously4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved5. Value delivery by optimising information security investments in support of organisational objectivesThe National Association of Corporate Directors (NACD), the leading membership organisation for boards and directors in the US, recognises the importance of information security. It recommends four essential practices for boards of directors, as well as several specific practices for each point. The four practices, which are based on the practicalities of how boards operate, arePlace information security on the boards agenda.Identify information security leaders, hold them accountable and ensure support for them.Ensure the effectiveness of the corporations information securit y form _or_ system of government through review and approval.Assign information security to a place committee and ensure adequate support for that committee (IT Governance Institute 2006).Benefits of Information hostage GovernanceInformation security governance generates of import benefits, includingAn increase in share value for organisations that practice good governanceIncreased predictability and reduced uncertainty of business operations by morose information security-related risks to definable and acceptable levelsProtection from the increasing potential for well-behaved or legal liability as a result of information inaccuracy or the absence of due careThe structure and framework to perfect allocation of limited security resourcesAssurance of effective information security policy and policy complianceA firm foundation for efficient and effective risk management, process improvement, and rapid ensuant chemical reaction related to securing informationA level of assuranc e that critical decisions are not based on faulty informationAccountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory responseThe benefits add significant value to the organisation byImproving trust in customer relationshipsProtecting the organisations reputationDecreasing likelihood of violations of privacyProviding greater confidence when interacting with trading partnersEnabling new and better ways to process electronic transactionsReducing operational costs by providing predictable outcomes-mitigating risk factors that may interrupt the process (IT Governance Institute 2006).ISSUES AND CHALLENGESIn the ICT world today, not every organisation will be able to achieve success or reap its benefits. Too many ICT initiatives have failed to deliver the bottom-line results companies had hoped for. One very common reason of failure is that the organizations fail to have a good management a nd controlled of their IT system. The Data Governance Council, with a focus on the review and approval aspects of board responsibilities, late recommended that boards provide strategic oversight regarding information security, including1. Understanding the criticality of information and information security to the organisation2. Reviewing investment in information security for alignment with the organisation strategy and risk profile3. Endorsing the development and implementation of a comprehensive information security program.Lets discuss about major issues and challenges that faced by Cathay pacific, implementing an IT Security Governance framework. Boards and management have several fundamental responsibilities to ensure that information security governance is in force. Amongst the issues they should focus on areUnderstand Why Information Security Needs to Be GovernedRisks and threats are real and could have significant impact on the enterprise.Reputation damage can be considera ble. trenchant information security requires co-ordinate and integrated action from the top down.IT investments can be substantial and easily misdirected.Cultural and organisational factors are equally important.Rules and priorities need to be established and enforced.Trust needs to be demonstrated toward trading partners whilst exchanging electronic transactions.Trust in reliability of system security needs to be demonstrated to all stakeholders.Security incidents are likely to be expose to the public.Take Board-level actBecome informed about information security. model direction, i.e., drive policy and strategy and define a global risk profile.Provide resources to information security efforts.Assign responsibilities to management.Set priorities.Support change. qualify cultural values related to risk awareness.Obtain assurance from internal or external auditors.Insist that management makes security investments and security improvements measurable, and monitors and reports on prog ram effectiveness (IT Governance Institute 2006).Take Senior Management-level ActionProvide oversight for the development of a security and control framework that consists of standards, measures, practices and procedures, after a policy has been approved by the governing remains of the organisation and related roles and responsibilities assigned. (Design)Set direction for the creation of a security policy, with business input. (Policy Development)Ensure that individual roles, responsibilities and authority are clearly communicated and unsounded by all. (Roles and Responsibilities) strike that threats and vulnerabilities be identified, analysed and monitored, and industry practices used for due care.Require the set-up of a security infrastructure.Set direction to ensure that resources are available to allow for prioritization of possible controls and countermeasures implement accordingly on a punctual basis, and maintained effectively. (Implementation)Establish monitoring measures to detect and ensure alignion of security breaches, so all actual and suspected breaches are promptly identified, investigated and acted upon, and to ensure ongoing compliance with policy, standards and minimum acceptable security practices. (Monitoring)Require that semestral reviews and tests be conducted.Institute processes that will help implement intrusion staining and incident response.Require monitoring and metrics to ensure that information is protected, correct skills are on hand to operate information systems securely and security incidents are responded to on a timely basis. Education in security measures and practices is of critical importance for the success of an organisations security program. (Awareness, Training and Education)Ensure that security is considered an integral part of the systems development life cycle process and is explicitly addressed during each phase of the process. (IT Governance Institute 2006)Questions to Uncover Information Security IssuesDoe s the head of security/CISO routinely meet or abbreviated business management?When was the last time top management got baffling in security-related decisions? How often does top management get involved in progressing security solutions?Does management know who is responsible for security? Does the responsible individual know? Does everyone else know?Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it?Does anyone know how many computers the company owns? Would management know if some went missing? ar damage assessment and disaster recovery plans in place?Has management identified all information (customer data, strategic plans, financial data, research results, etc.) that would persecute policy, legal or regulatory requirements or cause embarrassment or competitive disadvantage if it were leaked?Did the company suffer from the latest virus or malware attack? How many attacks were successful during the past 12-mon th period?Have there been intrusions? How often and with what impact?Does anyone know how many people are using the organisations systems?Does anyone care whether or not they are allowed access, or what they are doing?Is security considered an afterthought or a prerequisite?(IT Governance Institute 2006)CONCLUSIONSInformation security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organisations response to them. As organisations like Cathay pacific, strive to remain competitive in the global economy, they respond to constant pressures to cut costs through automation, which often requires deploying more information systems. The combination is forcing management to face difficult decisions about how to effectively address information security. This is in addition to scores of new and existing l aws and regulations that demand compliance and higher levels of accountability.